diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index efe7a5e648..f9d982e542 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -142,7 +142,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -481,7 +481,8 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://cpubwin.visualstudio.com/_git/it-client", + "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs", + "git_repository_branch_open_to_public_contributors": "master", "skip_source_output_uploading": false, "need_preview_pull_request": true, "resolve_user_profile_using_github": true, diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c6924029c5..50e104e045 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,11 +1,116 @@ { "redirections": [ { +"source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md", +"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-add", +"redirect_document_id": true +}, +{ +"source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md", +"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-get-started", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md", +"redirect_url": "/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/encrypted-hard-drive.md", +"redirect_url": "/windows/security/information-protection/encrypted-hard-drive", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/secure-the-windows-10-boot-process.md", +"redirect_url": "/windows/security/information-protection/secure-the-windows-10-boot-process", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md", +"redirect_url": "/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md", +"redirect_url": "/windows/security/information-protection/tpm/change-the-tpm-owner-password", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md", +"redirect_url": "/windows/security/information-protection/tpm/how-windows-uses-the-tpm", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md", +"redirect_url": "/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/manage-tpm-commands.md", +"redirect_url": "/windows/security/information-protection/tpm/manage-tpm-commands", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/manage-tpm-lockout.md", +"redirect_url": "/windows/security/information-protection/tpm/manage-tpm-lockout", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md", +"redirect_url": "/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/tpm-fundamentals.md", +"redirect_url": "/windows/security/information-protection/tpm/tpm-fundamentals", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/tpm-recommendations.md", +"redirect_url": "/windows/security/information-protection/tpm/tpm-recommendations", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-overview.md", +"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md", +"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md", +"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-top-node", +"redirect_document_id": true +}, +{ +"source_path": "windows/deployment/update/waas-windows-insider-for-business.md", +"redirect_url": "/windows-insider/at-work-pro/wip-4-biz-get-started", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set", "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/device-guard/device-guard-deployment-guide.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md", +"redirect_url": "/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agress.md", +"redirect_url": "/windows/security/threat-protectionsecurity-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-application-control.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control", "redirect_document_id": true @@ -441,11 +546,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md", -"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide", -"redirect_document_id": true -}, -{ "source_path": "windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control", "redirect_document_id": true @@ -5161,7 +5261,7 @@ "redirect_document_id": true }, { -"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md", +"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803.md", "redirect_url": "/windows/configuration/basic-level-windows-diagnostic-events-and-fields", "redirect_document_id": true }, @@ -5178,8 +5278,18 @@ { "source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md", "redirect_url": "/education/windows/switch-to-pro-education", +"redirect_document_id": false +}, +{ +"source_path": "education/windows/switch-to-pro-education.md", +"redirect_url": "/education/windows/change-to-pro-education", "redirect_document_id": true }, +{ + "source_path": "education/windows/swithc-to-pro-de.md", + "redirect_url": "/education/windows/switch-to-pro-education", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policy-admx-backed.md", "redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider", @@ -6297,7 +6407,7 @@ }, { "source_path": "windows/whats-new/device-guard-overview.md", -"redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_url": "/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control", "redirect_document_id": false }, { @@ -6396,6 +6506,11 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/configure-devices-without-mdm.md", +"redirect_url": "/windows/configuration/provisioning-packages/provisioning-packages", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/configure-mobile.md", "redirect_url": "/windows/configuration/mobile-devices/configure-mobile", "redirect_document_id": true @@ -6526,6 +6641,21 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/kiosk-shared-pc.md", +"redirect_url": "/windows/configuration/kiosk-methods", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/setup-kiosk-digital-signage.md", +"redirect_url": "/windows/configuration/kiosk-single-app", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/multi-app-kiosk-xml.md", +"redirect_url": "/windows/configuration/kiosk-xml", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md", "redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps", "redirect_document_id": true @@ -8987,7 +9117,7 @@ }, { "source_path": "windows/keep-secure/device-guard-deployment-guide.md", -"redirect_url": "/windows/device-security/device-guard/device-guard-deployment-guide", +"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide", "redirect_document_id": true }, { @@ -13456,11 +13586,6 @@ "redirect_document_id": true }, { -"source_path": "windows/update/waas-windows-insider-for-business-faq.md", -"redirect_url": "/windows/deployment/update/waas-windows-insider-for-business-faq", -"redirect_document_id": true -}, -{ "source_path": "windows/update/waas-windows-insider-for-business.md", "redirect_url": "/windows/deployment/update/waas-windows-insider-for-business", "redirect_document_id": true @@ -13605,8 +13730,70 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection", "redirect_document_id": true }, - - - +{ +"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md", +"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md", +"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields.md", +"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/configure-windows-diagnostic-data-in-your-organization.md", +"redirect_url": "/windows/privacy/configure-windows-diagnostic-data-in-your-organization", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/diagnostic-data-viewer-overview.md", +"redirect_url": "/windows/privacy/diagnostic-data-viewer-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields.md", +"redirect_url": "/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/gdpr-win10-whitepaper.md", +"redirect_url": "/windows/privacy/gdpr-win10-whitepaper", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md", +"redirect_url": "/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/manage-windows-endpoints-version-1709.md", +"redirect_url": "/windows/privacy/manage-windows-endpoints", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/windows-diagnostic-data-1703.md", +"redirect_url": "/windows/privacy/windows-diagnostic-data-1703", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/windows-diagnostic-data.md", +"redirect_url": "/windows/privacy/windows-diagnostic-data", +"redirect_document_id": true +}, +{ +"source_path": "windows/deployment/upgrade/windows-10-edition-downgrades.md", +"redirect_url": "/windows/deployment/upgrade/windows-10-edition-upgrades", +"redirect_document_id": true +}, +{ +"source_path": "education/windows/windows-automatic-redeployment.md", +"redirect_url": "/education/windows/autopilot-reset", +"redirect_document_id": true +}, ] } diff --git a/[!NOTE] b/[!NOTE] new file mode 100644 index 0000000000..e69de29bb2 diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md deleted file mode 100644 index a18d463fa8..0000000000 --- a/browsers/edge/Index.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. -ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb -author: eross-msft -ms.prod: edge -ms.mktglfcycl: general -ms.sitesec: library -title: Microsoft Edge - Deployment Guide for IT Pros (Microsoft Edge for IT Pros) -ms.localizationpriority: high -ms.date: 10/16/2017 ---- - -# Microsoft Edge - Deployment Guide for IT Pros - -**Applies to:** - -- Windows 10 -- Windows 10 Mobile - ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). - -Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities. - -Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. - ->[!Note] ->For more info about the potential impact of using Microsoft Edge in a large organization, you can download an infographic from here: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=55956). For a detailed report that provides you with a framework to evaluate the potential financial impact of adopting Microsoft Edge within your organization, you can download the full study here: [Total Economic Impact of Microsoft Edge: Forrester Study](https://www.microsoft.com/download/details.aspx?id=55847). - ->Also, if you've arrived here looking for Internet Explorer 11 content, you'll need to go to the [Internet Explorer 11 (IE11)](https://docs.microsoft.com/en-us/internet-explorer/) area. - -## In this section - -| Topic | Description | -| -----------------------| ----------------------------------- | -|[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) |Lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. | -|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Guidance about how to use both Microsoft Edge and Internet Explorer 11 in your enterprise.| -| [Microsoft Edge requirements and language support](hardware-and-software-requirements.md) |Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.| -| [Available policies for Microsoft Edge](available-policies.md) |Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.

Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. | -| [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.

Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. | -| [Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. | -|[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)|Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems. - -## Interoperability goals and enterprise guidance - -Our primary goal is that your modern websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. - -However, if you're running web apps that continue to use: - -* ActiveX controls - -* x-ua-compatible headers - -* <meta> tags - -* Enterprise mode or compatibility view to address compatibility issues - -* legacy document modes - -You'll need to keep running them using IE11. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md). - -## Related topics - -- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=55956) - -- [Total Economic Impact of Microsoft Edge: Forrester Study](https://www.microsoft.com/download/details.aspx?id=55847) - -- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) - -- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644) - -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) - diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index 9a9115a9ac..817f1bb1d4 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -1,9 +1,39 @@ -#[Microsoft Edge - Deployment Guide for IT Pros](index.md) -##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) -##[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) -##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md) -##[Available policies for Microsoft Edge](available-policies.md) -##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) -##[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) -##[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) +# [Microsoft Edge deployment for IT Pros](index.yml) + +## [(Preview) New Microsoft Edge Group Policies and MDM settings](new-policies.md) + +## [(Preview) Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md) + +## [Group policies & configuration options](group-policies/index.yml) +### [All group policies](available-policies.md) +### [Address bar settings](group-policies/address-bar-settings-gp.md) +### [Adobe settings](group-policies/adobe-settings-gp.md) +### [Books Library management](group-policies/books-library-management-gp.md) +### [Browser settings management](group-policies/browser-settings-management-gp.md) +### [Developer settings](group-policies/developer-settings-gp.md) +### [Extensions management](group-policies/extensions-management-gp.md) +### [Favorites management](group-policies/favorites-management-gp.md) +### [Home button settings](group-policies/home-button-gp.md) +### [Interoperability and enterprise guidance](group-policies/interoperability-enterprise-guidance-gp.md) +### [New tab page settings](group-policies/new-tab-page-settings-gp.md) +### [Prelaunch Microsoft Edge and preload tabs](group-policies/prelaunch-preload-gp.md) +### [Search engine customization](group-policies/search-engine-customization-gp.md) +### [Security and privacy management](group-policies/security-privacy-management-gp.md) +### [Start pages settings](group-policies/start-pages-gp.md) +### [Sync browser settings](group-policies/sync-browser-settings-gp.md) +### [Telemetry and data collection](group-policies/telemetry-management-gp.md) + + + +## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md) + +## [System requirements](about-microsoft-edge.md#minimum-system-requirements) + +## [Supported languages](about-microsoft-edge.md#supported-languages) + + +## [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) + +## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) + diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md new file mode 100644 index 0000000000..16b748b6ed --- /dev/null +++ b/browsers/edge/about-microsoft-edge.md @@ -0,0 +1,159 @@ +--- +description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. +ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb +author: shortpatti +ms.prod: edge +ms.mktglfcycl: general +ms.sitesec: library +title: Microsoft Edge for IT Pros +ms.localizationpriority: medium +ms.date: 07/29/2018 +--- + +# Microsoft Edge deployment for IT Pros +>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. + + +>[!IMPORTANT] +>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. + + + +## Minimum system requirements +Some of the components might also need additional system resources. Check the component's documentation for more information. + + +| Item | Minimum requirements | +| ------------------ | -------------------------------------------- | +| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | +| Operating system |

**Note**
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | +| Memory |

| +| Hard drive space | | +| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | +| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | +| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | +| Peripherals | Internet connection and a compatible pointing device | + +  + +## Supported languages + + +Microsoft Edge supports all of the same languages as Windows 10, including: + + +| Language | Country/Region | Code | +| ------------------------ | -------------- | ------ | +| Afrikaans (South Africa) | South Africa | af-ZA | +| Albanian (Albania) | Albania | sq-AL | +| Amharic | Ethiopia | am-ET | +| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | +| Armenian | Armenia | hy-AM | +| Assamese | India | as-IN | +| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | +| Bangla (Bangladesh) | Bangladesh | bn-BD | +| Bangla (India) | India | bn-IN | +| Basque (Basque) | Spain | eu-ES | +| Belarusian (Belarus) | Belarus | be-BY | +| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | +| Bulgarian (Bulgaria) | Bulgaria | bg-BG | +| Catalan (Catalan) | Spain | ca-ES | +| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | +| Cherokee (Cherokee) | United States | chr-Cher-US | +| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | +| Chinese (Simplified, China) | People's Republic of China | zh-CN | +| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | +| Croatian (Croatia) | Croatia | hr-HR | +| Czech (Czech Republic) | Czech Republic | cs-CZ | +| Danish (Denmark) | Denmark | da-DK | +| Dari | Afghanistan | prs-AF | +| Dutch (Netherlands) | Netherlands | nl-NL | +| English (United Kingdom) | United Kingdom | en-GB | +| English (United States) | United States | en-US | +| Estonian (Estonia) | Estonia | et-EE | +| Filipino (Philippines) | Philippines | fil-PH | +| Finnish (Finland) | Finland | fi_FI | +| French (Canada) | Canada | fr-CA | +| French (France) | France | fr-FR | +| Galician (Galician) | Spain | gl-ES | +| Georgian | Georgia | ka-GE | +| German (Germany) | Germany | de-DE | +| Greek (Greece) | Greece | el-GR | +| Gujarati | India | gu-IN | +| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | +| Hebrew (Israel) | Israel | he-IL | +| Hindi (India) | India | hi-IN | +| Hungarian (Hungary) | Hungary | hu-HU | +| Icelandic | Iceland | is-IS | +| Igbo | Nigeria | ig-NG | +| Indonesian (Indonesia) | Indonesia | id-ID | +| Irish | Ireland | ga-IE | +| isiXhosa | South Africa | xh-ZA | +| isiZulu | South Africa | zu-ZA | +| Italian (Italy) | Italy | it-IT | +| Japanese (Japan) | Japan | ja-JP | +| Kannada | India | kn-IN | +| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | +| Khmer (Cambodia) | Cambodia | km-KH | +| K'iche' | Guatemala | quc-Latn-GT | +| Kinyarwanda | Rwanda | rw-RW | +| KiSwahili | Kenya, Tanzania | sw-KE | +| Konkani | India | kok-IN | +| Korean (Korea) | Korea | ko-KR | +| Kyrgyz | Kyrgyzstan | ky-KG | +| Lao (Laos) | Lao P.D.R. | lo-LA | +| Latvian (Latvia) | Latvia | lv-LV | +| Lithuanian (Lithuania) | Lithuania | lt-LT | +| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | +| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | +| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | +| Malayalam | India | ml-IN | +| Maltese | Malta | mt-MT | +| Maori | New Zealand | mi-NZ | +| Marathi | India | mr-IN | +| Mongolian (Cyrillic) | Mongolia | mn-MN | +| Nepali | Federal Democratic Republic of Nepal | ne-NP | +| Norwegian (Nynorsk) | Norway | nn-NO | +| Norwegian, Bokmål (Norway) | Norway | nb-NO | +| Odia | India | or-IN | +| Polish (Poland) | Poland | pl-PL | +| Portuguese (Brazil) | Brazil | pt-BR | +| Portuguese (Portugal) | Portugal | pt-PT | +| Punjabi | India | pa-IN | +| Punjabi (Arabic) | Pakistan | pa-Arab-PK | +| Quechua | Peru | quz-PE | +| Romanian (Romania) | Romania | ro-RO | +| Russian (Russia) | Russia | ru-RU | +| Scottish Gaelic | United Kingdom | gd-GB | +| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | +| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | +| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | +| Sesotho sa Leboa | South Africa | nso-ZA | +| Setswana (South Africa) | South Africa and Botswana | tn-ZA | +| Sindhi (Arabic) | Pakistan | sd-Arab-PK | +| Sinhala | Sri Lanka | si-LK | +| Slovak (Slovakia) | Slovakia | sk-SK | +| Slovenian (Slovenia) | Slovenia | sl-SL | +| Spanish (Mexico) | Mexico | es-MX | +| Spanish (Spain, International Sort) | Spain | en-ES | +| Swedish (Sweden) | Sweden | sv-SE | +| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | +| Tamil (India) | India and Sri Lanka | ta-IN | +| Tatar | Russia | tt-RU | +| Telugu | India | te-IN | +| Thai (Thailand) | Thailand | th-TH | +| Tigrinya (Ethiopia) | Ethiopia | ti-ET | +| Turkish (Turkey) | Turkey | tr-TR | +| Turkmen | Turkmenistan | tk-TM | +| Ukrainian (Ukraine) | Ukraine | uk-UA | +| Urdu | Pakistan | ur-PK | +| Uyghur | People's Republic of China | ug-CN | +| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | +| Valencian | Spain | ca-ES-valencia | +| Vietnamese | Vietnam | vi-VN | +| Welsh | United Kingdom | cy-GB | +| Wolof | Senegal | wo-SN | +| Yoruba | Nigeria | yo-NG | +--- \ No newline at end of file diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index fcdd64629c..f21ac4a827 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -8,570 +8,154 @@ ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) -ms.localizationpriority: high -ms.date: 4/20/2018 #Previous release date 09/13/2017 +ms.localizationpriority: medium +ms.date: 07/20/2018 --- # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge -> Applies to: Windows 10, Windows 10 Mobile +> Applies to: Windows 10, Windows 10 Mobile + +Set up a policy setting once and then copy that setting onto many computers. + + Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that is linked to a domain, and then apply all of those settings to every computer in the domain. > [!NOTE] -> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). +> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). -Microsoft Edge works with the following Group Policy settings to help you manage your company's web browser configurations. The Group Policy settings are found in the Group Policy Editor in the following location: -Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\ +>*You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:* +> +>      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* +

+ +## Allow a shared books folder +[!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)] ## Allow Address bar drop-down list suggestions ->*Supporteded versions: Windows 10, version 1703 or later* +[!INCLUDE [allow-address-bar-suggestions-include.md](includes/allow-address-bar-suggestions-include.md)] -The Address bar drop-down list, when enabled, allows the Address bar drop-down functionality in Microsoft Edge. By default, this policy is enabled. If disabled, you do not see the address bar drop-down functionality and disables the user-defined policy "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this policy takes precedence over the [Configure search suggestions in Address bar](https://review.docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies?branch=pashort_edge-backlog_vsts15846461#configure-search-suggestions-in-address-bar) or [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) policy. - -If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend that you disable this policy. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | -|Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown | -|Data type | Integer | -|Allowed values |

| - - -## Allow Adobe Flash ->*Supporteded version: Windows 10* - -Adobe Flash is integrated with Microsoft Edge and is updated via Windows Update. By default, this policy is enabled or not configured allowing you to use Adobe Flash Player in Microsoft Edge. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | -|Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash | -|Data type | Integer | -|Allowed values | | +## Allow Adobe Flash +[!INCLUDE [allow-adobe-flash-include.md](includes/allow-adobe-flash-include.md)] ## Allow clearing browsing data on exit ->*Supporteded versions: Windows 10, version 1703* - -Your browsing data is the information that Microsoft Edge remembers and stores as you browse websites. Browsing data includes information you entered into forms, passwords, and the websites you visited. By default, this policy is disabled or not configured, the browsing data is not cleared when exiting. When this policy is disabled or not configured, you can turn on and configure the Clear browsing data option under Settings. - - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | -|Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-clearing-browsing-data-include.md](includes/allow-clearing-browsing-data-include.md)] +## Allow configuration updates for the Books Library +[!INCLUDE [allow-config-updates-books-include.md](includes/allow-config-updates-books-include.md)] ## Allow Cortana ->*Supported versions: Windows 10, version 1607 or later* - -Cortana is integrated with Microsoft Edge, and when enabled, Cortana allows you use the voice assistant on your device. If disabled, Cortana is not available for use, but you can search to find items on your device. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | -|Supported devices |Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCortana | -|Location |Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortana | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-cortana-include.md](includes/allow-cortana-include.md)] ## Allow Developer Tools ->*Supporteded versions: Windows 10, version 1511 or later* - -F12 developer tools is a suite of tools to help you build and debug your webpage. By default, this policy is enabled making the F12 Developer Tools availabe to use. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-dev-tools-include.md](includes/allow-dev-tools-include.md)] +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](includes/allow-ext-telemetry-books-tab-include.md)] ## Allow Extensions ->*Supporteded versions: Windows 10, version 1607 or later* - -If you enable this policy, you can personalize and add new features to Microsoft Edge with extensions. By default, this policy is enabled. If you want to prevent others from installing unwanted extensions, disable this policy. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowExtensions | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)] ## Allow InPrivate browsing ->*Supporteded versions: Windows 10, version 1511 or later* - -InPrivate browsing, when enabled, prevents your browsing data is not saved on your device. Microsoft Edge deletes temporary data from your device after all your InPrivate tabs are closed. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)] ## Allow Microsoft Compatibility List ->*Supporteded versions: Windows 10, version 1703 or later* - -Microsoft Edge uses the compatibility list that helps websites with known compatibility issues display properly. When enabled, Microsoft Edge checks the list to determine if the website has compatibility issues during browser navigation. By default, this policy is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft compatibility list prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used. - - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)] ## Allow search engine customization ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting allows search engine customization for domain-joined or MDM-enrolled devices only. For example, you can change the default search engine or add a new search engine. By default, this setting is enabled allowing you to add new search engines and change the default under Settings. If disabled, you cannot add search enginess or change the default. - -For more information, see [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)] ## Allow web content on New Tab page ->*Supported versions: Windows 10* +[!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)] -This policy setting lets you configure what appears when a New Tab page is opened in Microsoft Edge. By default, this setting is disabled or not configured, which means you cannot customize their New Tab page. If enabled, you can customize their New Tab page. - - -## Always Enable book library ->*Supporteded versions: Windows 10, version 1709 or later* - -This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | -|Supported devices |Desktop
Mobile | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary | -|Data type | Integer | -|Allowed values | | +## Always show the Books Library in Microsoft Edge +[!INCLUDE [always-enable-book-library-include.md](includes/always-enable-book-library-include.md)] ## Configure additional search engines ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting, when enabled, lets you add up to five additional search engines. Employees cannot remove these search engines, but they can set any one as the default. By default, this setting is not configured and does not allow additional search engines to be added. If disabled, the search engines added are deleted. - -For each additional search engine you add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). - -This setting does not set the default search engine. For that, you must use the "Set default search engine" setting. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-additional-search-engines-include.md](includes/configure-additional-search-engines-include.md)] ## Configure Autofill ->*Supported versions: Windows 10* - -This policy setting specifies whether AutoFill on websites is allowed. By default, this setting is not configured allowing you to choose whether or not to use AutoFill. If enabled, AutoFill is used. If disabled, AutoFill is not used. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowAutofill | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)] ## Configure cookies ->*Supported versions: Windows 10* - -This policy setting specifies whether cookies are allowed. By default, this setting is enabled with the Block all cookies and Block only 3rd-party cookies options available. If disabled or not configured, all cookies are allowed from all sites. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCookies | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)] ## Configure Do Not Track ->*Supported versions: Windows 10* - -This policy setting specifies whether Do Not Track requests to websites is allowed. By default, this setting is not configured allowing you to choose whether or not to send tracking information. If enabled, Do Not Track requests are always sent to websites asking for tracking information. If disabled, Do Not Track requests are never sent. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack | -|Data type | Integer | -|Allowed values | | - +[!INCLUDE [configure-do-not-track-include.md](includes/configure-do-not-track-include.md)] ## Configure Favorites ->*Supported versions: Windows 10, version 1709* - -This policy setting allows you to configure a default list of Favorites that appear for your employee, which they cannot modify, sort, move, export or delete. By default, this setting is disabled or not configured allowing you to customize the Favorites list, such as adding folders to organize their favorites. If enabled, you are not allowed to add, import, or change anything in the Favorites list. As part of this, the Save a Favorite, Import settings, and context menu items (such as Create a new folder) are turned off. - -Specify the URL which points to the file that has all the data for provisioning favorites (in html format). - -URL can be specified as: -- HTTP location: "SiteList"="http://localhost:8080/URLs.html" -- Local network: "SiteList"="\network\shares\URLs.html" -- Local file: "SiteList"="file:///c:\Users\\Documents\URLs.html" - -You can export a set of favorites from Edge and use that html file for provisioning user machines. - ->[!Important] ->Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites | -|Data type | String | - +[!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)] ## Configure Password Manager ->*Supported versions: Windows 10* - -This policy setting specifies whether saving and managing passwords locally on the device is allowed. By default, this setting is enabled allowing you to save their passwords locally. If not configured, you can choose whether or not to save and manage passwords locally. If disabled, saving and managing passwords locally is turned off. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)] ## Configure Pop-up Blocker ->*Supported versions: Windows 10* - -This policy setting specifies whether pop-up blocker is allowed or enabled. By default, pop-up blocker is turned on. If not configured, you can choose whether to turn on or turn off pop-up blocker. If disabled, pop-up blocker is turned off. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowPopups | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-pop-up-blocker-include.md](includes/configure-pop-up-blocker-include.md)] ## Configure search suggestions in Address bar ->*Supported versions: Windows 10* - -This policy setting specifies whether search suggestions are allowed in the address bar. By default, this setting is not configured allowing you to choose whether search suggestions appear in the address bar. If enabled, search suggestions appear. If disabled, search suggestions do not appear. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-search-suggestions-address-bar-include.md](includes/configure-search-suggestions-address-bar-include.md)] ## Configure Start pages ->*Supported versions: Windows 10, version 1511 or later* - -This policy setting specifies your Start pages for domain-joined or MDM-enrolled devices. By default, this setting is disabled or not configured. Therefore, the Start page is the webpages specified in App settings. If enabled, you can configure one or more corporate Start pages. If enabling this setting, you must include URLs separating multiple pages by using XML-escaped characters < and >, for example, **<\support.contoso.com><\support.microsoft.com>**. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/HomePages | -|Data type |String | -|Allowed values |Configure the Start page (previously known as Home page) URLs for your you. | +[!INCLUDE [configure-start-pages-include.md](includes/configure-start-pages-include.md)] ## Configure the Adobe Flash Click-to-Run setting ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting specifies whether you must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. By default, this setting is enabled. when the setting is enabled, you must click the content, Click-to-Run button, or have the site appear on an auto-allow list before before the Adobe Flash content loads. If disabled, Adobe Flash loads and runs automatically. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-adobe-flash-click-to-run-include.md](includes/configure-adobe-flash-click-to-run-include.md)] ## Configure the Enterprise Mode Site List ->*Supported versions: Windows 10* - -This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. By default, this setting is disabled or not configured, which means the Enterprise Mode Site List is not used. In this case, you might experience compatibility problems while using legacy apps. If enabled, you must add the location to your site list in the **{URI}** box. when enabled, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. - ->[!Note] ->If there is a .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server has a different version number than the version in the cache container, the server file is used and stored in the cache container.

->If you already use a site list, enterprise mode continues to work during the 65-second wait; it just uses the existing site list instead of the new one. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList | -|Data type | String | -|Allowed values | | +[!INCLUDE [configure-enterprise-mode-site-list-include.md](includes/configure-enterprise-mode-site-list-include.md)] ## Configure Windows Defender SmartScreen ->*Supported versions: Windows 10* - -This policy setting specifies whether Windows Defender SmartScreen is allowed. By default, this setting is enabled or turned on and you cannot turn it off. If disabled, Windows Defender SmartScreen is turned off and you cannot turn it on. If not configured, you can choose whether to use Windows Defender SmartScreen. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [configure-windows-defender-smartscreen-include.md](includes/configure-windows-defender-smartscreen-include.md)] ## Disable lockdown of Start pages ->*Supported versions: Windows 10, version 1703 or later* +[!INCLUDE [disable-lockdown-of-start-pages-include.md](includes/disable-lockdown-of-start-pages-include.md)] -This policy setting specifies whether the lockdown on the Start pages is disabled on domain-joined or MDM-enrolled devices. By default, this policy is enabled locking down the Start pages according to the settings specified in the Browser/HomePages policy. When enabled, users cannot change the Start pages. If disabled, users can modify the Start pages. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages | -|Data type | Integer | -|Allowed values | | - - ## Do not sync ->*Supported versions: Windows 10* - -This policy setting specifies whether you can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting you pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings | -|Location |Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [do-not-sync-include.md](includes/do-not-sync-include.md)] ## Do not sync browser settings ->*Supported versions: Windows 10* - -This policy setting specifies whether a browser group can use the Sync your Settings options to sync their information to and from their device. Settings include information like History and Favorites. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. If enabled, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting. +[!INCLUDE [do-not-sync-browser-settings-include.md](includes/do-not-sync-browser-settings-include.md)] ## Keep favorites in sync between Internet Explorer and Microsoft Edge ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including additions, deletions, modifications, and ordering. By default, this setting is disabled or not configured. When disabled or not configured, you cannot sync their favorites. If enabled, you can sync their favorites and stops Microsoft Edge favorites from syncing between connected Windows 10 devices. This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [keep-fav-sync-ie-edge-include.md](includes/keep-fav-sync-ie-edge-include.md)] ## Prevent access to the about:flags page ->*Supported versions: Windows 10, version 1607 or later* - -This policy setting specifies whether you can access the about:flags page, which is used to change developer settings and to enable experimental features. By default, this setting is disabled or not configured, which means you can access the about:flags page. If enabled, you cannot access the about:flags page. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-access-about-flag-include.md](includes/prevent-access-about-flag-include.md)] ## Prevent bypassing Windows Defender SmartScreen prompts for files ->*Supported versions: Windows 10, version 1511 or later* - -This policy setting specifies whether you can override the Windows Defender SmartScreen warnings about downloading unverified files. By default, this setting is disabled or not configured (turned off), which means you can ignore the warnings and can continue the download process. If enabled (turned on), you cannot ignore the warnings and blocks them from downloading unverified files. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | -|Supported devices |Desktop
Mobile | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-bypassing-win-defender-files-include.md](includes/prevent-bypassing-win-defender-files-include.md)] ## Prevent bypassing Windows Defender SmartScreen prompts for sites ->*Supported versions: Windows 10, version 1511 or later* - -This policy setting specifies whether you can override the Windows Defender SmartScreen warnings about potentially malicious websites. By default, this setting is disabled or not configured (turned off), which means you can ignore the warnings and allows them to continue to the site. If enabled (turned on), you cannot ignore the warnings and blocks them from continuing to the site. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)] ## Prevent changes to Favorites on Microsoft Edge ->*Supported versions: Windows 10, version 1709* - -This policy setting specifies whether you can add, import, sort, or edit the Favorites list in Microsoft Edge. By default, this setting is disabled or not configured (turned on), which means the Favorites list is not locked down and you can make changes to the Favorites list. If enabled, you cannot make changes to the Favorites list. Also, the Save a Favorite, Import settings, and the context menu items, such as Create a new folder, are turned off. - ->[!Important] ->Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)] ## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. By default, this setting is disabled or not configured (turned off), which means Microsoft servers are contacted if a site is pinned. If enabled (turned on), Microsoft servers are not contacted if a site is pinned. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-live-tile-pinning-start-include](includes/prevent-live-tile-pinning-start-include.md)] ## Prevent the First Run webpage from opening on Microsoft Edge ->*Supported versions: Windows 10, version 1703 or later* - -This policy setting specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, the First Run webpage hosted on microsoft.com opens automatically. This policy allows enterprises, such as those enrolled in a zero-emissions configuration, to prevent this page from opening. By default, this setting is disabled or not configured (turned off), which means you see the First Run page. If enabled (turned on), the you do not see the First Run page. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | -|Supported devices |Desktop
Mobile | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)] ## Prevent using Localhost IP address for WebRTC ->*Supported versions: Windows 10, version 1511 or later* - - -This policy setting specifies whether localhost IP address are visible or hiddle while making phone calls to the WebRTC protocol. By default, this setting is disabled or not configured (turned off), which means the localhost IP address are visible. If enabled (turned on), localhost IP addresses are hidden. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)] +## Provision Favorites +[!INCLUDE [provision-favorites-include](includes/provision-favorites-include.md)] ## Send all intranet sites to Internet Explorer 11 ->*Supported versions: Windows 10* - - -This policy setting specifies whether to send intranet traffic to Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. By default, this setting is disabled or not configured (turned off), which means all websites, including intranet sites, open in Microsoft Edge. If enabled, all intranet sites are opened in Internet Explorer 11 automatically. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [send-all-intranet-sites-ie-include.md](includes/send-all-intranet-sites-ie-include.md)] ## Set default search engine ->*Supported versions: Windows 10, version 1703 or later* - - -This policy setting allows you to configure the default search engine for domain-joined or MDM-enrolled devices. By default, this setting is not configured, which means the default search engine is specified in App settings. In this case, you can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. If enabled, you can configure a default search engine for you. When enabled, you cannot change the default search engine. If disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -To set the default search engine, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see Search provider discovery. If you'd like your you to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your you to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | -|Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine | -|Data type | Integer | -|Allowed values | | +[!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)] ## Show message when opening sites in Internet Explorer ->*Supported versions: Windows 10, version 1607 and later* - - -This policy setting specifies whether you see an additional page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. By default, this policy is disabled, which means no additional pages display. If enabled, you see an additional page. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer | -|Data type | Integer | -|Allowed values | | - +[!INCLUDE [show-message-opening-sites-ie-include.md](includes/show-message-opening-sites-ie-include.md)] diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 1958fa170c..2af18fcf6f 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -4,14 +4,19 @@ description: This topic lists new and updated topics in the Microsoft Edge docum ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library -ms.localizationpriority: high -ms.date: 09/19/2017 +ms.localizationpriority: medium +ms.date: '' +ms.author: pashort +author: shortpatti --- # Change history for Microsoft Edge -This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. +Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. -For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/). + + + +# [2017](#tab/2017) ## September 2017 |New or changed topic | Description | @@ -23,23 +28,22 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th |----------------------|-------------| |[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. | + +# [2016](#tab/2016) + ## November 2016 |New or changed topic | Description | |----------------------|-------------| |[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.| |[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. | |[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. | -|[Microsoft Edge - Deployment Guide for IT Pros](index.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | +|Microsoft Edge - Deployment Guide for IT Pros |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | |[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | ## July 2016 |New or changed topic | Description | |----------------------|-------------| |[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | - -## July 2016 -|New or changed topic | Description | -|----------------------|-------------| |[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. | |[Available policies for Microsoft Edge](available-policies.md) |Updated | @@ -54,3 +58,5 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th |New or changed topic | Description | |----------------------|-------------| |[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | + +--- \ No newline at end of file diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 31eafa6401..b3be0aa999 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -19,7 +19,7 @@ "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", "ms.topic": "article", - "ms.author": "lizross", + "ms.author": "shortpatti", "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index fc8a612b80..3f8deb3963 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -8,7 +8,7 @@ ms.mktglfcycl: support ms.sitesec: library ms.pagetype: appcompat title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/15/2018 --- @@ -43,14 +43,14 @@ Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScrip ### Set up Microsoft Edge to use the Enterprise Mode site list -You must turn on the **Use Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). +You must turn on the **Configure the Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). > **Note**
> If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. **To turn on Enterprise Mode using Group Policy** -1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Allows you to configure the Enterprise Mode Site list** setting.

Turning this setting on also requires you to create and store a site list.

![Local Group Policy Editor for using a site list](images/edge-emie-grouppolicysitelist.png) +1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** policy.

Turning this setting on also requires you to create and store a site list.

![Local Group Policy Editor for using a site list](images/edge-emie-grouppolicysitelist.png) 2. Click **Enabled**, and then in the **Options** area, type the location to your site list. diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md index e699a000e8..010a44e44b 100644 --- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md +++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md @@ -1,12 +1,12 @@ --- title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros) description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11. -author: eross-msft +author: shortpatti ms.prod: edge ms.mktglfcycl: support ms.sitesec: library ms.pagetype: appcompat -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/16/2017 --- diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md new file mode 100644 index 0000000000..a35d719d37 --- /dev/null +++ b/browsers/edge/group-policies/address-bar-settings-gp.md @@ -0,0 +1,25 @@ +--- +title: Microsoft Edge - Address bar settings +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/29/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Address bar settings +>*Supported versions: Microsoft Edge on Windows 10* + + + + +## Allow Address bar drop-down list suggestions +[!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)] + +## Configure search suggestions in Address bar +[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md new file mode 100644 index 0000000000..a74e8c94e4 --- /dev/null +++ b/browsers/edge/group-policies/adobe-settings-gp.md @@ -0,0 +1,26 @@ +--- +title: Microsoft Edge - Adobe settings +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Adobe settings +>*Supported versions: Microsoft Edge on Windows 10* + + + +## Allow Adobe Flash +[!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)] + + +## Configure the Adobe Flash Click-to-Run setting +[!INCLUDE [configure-adobe-flash-click-to-run-include.md](../includes/configure-adobe-flash-click-to-run-include.md)] + diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md new file mode 100644 index 0000000000..ec9dc2db97 --- /dev/null +++ b/browsers/edge/group-policies/books-library-management-gp.md @@ -0,0 +1,31 @@ +--- +title: Microsoft Edge - Books Library management +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Books Library management +>*Supported versions: Microsoft Edge on Windows 10* + + + + +## Allow a shared books folder +[!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)] + +## Allow configuration updates for the Books Library +[!INCLUDE [allow-config-updates-books-include.md](../includes/allow-config-updates-books-include.md)] + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Always show the Books Library in Microsoft Edge +[!INCLUDE [always-enable-book-library-include.md](../includes/always-enable-book-library-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/browser-settings-management-gp.md b/browsers/edge/group-policies/browser-settings-management-gp.md new file mode 100644 index 0000000000..2f4f4c8de3 --- /dev/null +++ b/browsers/edge/group-policies/browser-settings-management-gp.md @@ -0,0 +1,46 @@ +--- +title: Microsoft Edge - Browser settings management +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Browser settings management +>*Supported versions: Microsoft Edge on Windows 10* + + + + +## Allow clearing browsing data on exit +[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)] + +## Configure Autofill +[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)] + +## Configure Pop-up Blocker +[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)] + +## Do not sync +[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] + +## Do not sync browser settings +[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] + + + diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md new file mode 100644 index 0000000000..85cfef2db5 --- /dev/null +++ b/browsers/edge/group-policies/developer-settings-gp.md @@ -0,0 +1,24 @@ +--- +title: Microsoft Edge - Developer settings +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Developer settings +>*Supported versions: Microsoft Edge on Windows 10* + + + +## Allow Developer Tools +[!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)] + +## Prevent access to the about:flags page +[!INCLUDE [prevent-access-about-flag-include](../includes/prevent-access-about-flag-include.md)] diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md new file mode 100644 index 0000000000..2cd29cf9a3 --- /dev/null +++ b/browsers/edge/group-policies/extensions-management-gp.md @@ -0,0 +1,27 @@ +--- +title: Microsoft Edge - Extensions management +description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +services: +keywords: Don’t add or edit keywords without consulting your SEO champ. +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Extensions management +>*Supported versions: Microsoft Edge on Windows 10* + + + +## Allow Extensions +[!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)] + +## Allow sideloading of extensions +[!INCLUDE [allow-sideloading-extensions-include](../includes/allow-sideloading-extensions-include.md)] + +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include](../includes/prevent-turning-off-required-extensions-include.md)] diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md new file mode 100644 index 0000000000..d8b7822d94 --- /dev/null +++ b/browsers/edge/group-policies/favorites-management-gp.md @@ -0,0 +1,31 @@ +--- +title: Microsoft Edge - Favorites management +description: +services: +keywords: +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Favorites management +>*Supported versions: Microsoft Edge on Windows 10* + + + + +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] + +## Keep favorites in sync between Internet Explorer and Microsoft Edge +[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)] + +## Prevent changes to Favorites on Microsoft Edge +[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] + +## Provision Favorites +[!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md new file mode 100644 index 0000000000..86203ab818 --- /dev/null +++ b/browsers/edge/group-policies/home-button-gp.md @@ -0,0 +1,41 @@ +--- +title: Microsoft Edge - Home button configuration options +description: Microsoft Edge shows the home button and by clicking it the Start page loads by default. +ms.author: pashort +author: shortpatti +ms.date: 07/23/2018 +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Home button configuration options +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + +Microsoft Edge shows the home button and by clicking it the Start page loads by default. You can configure the Home button to load the New tab page or a URL defined in the Set Home button URL policy. You can also configure Microsoft Edge to hide the home button. + +## Relevant group policies + +- [Configure Home button](#configure-home-button) +- [Set Home button URL](#set-home-button-url) +- [Unlock Home button](#unlock-home-button) + + +## Configuration options + +![Show home button and load Start page or New tab page](../images/home-button-start-new-tab-page-v4-sm.png) + +![Show home button and load custom URL](../images/home-buttom-custom-url-v4-sm.png) + +![Hide home button](../images/home-button-hide-v4-sm.png) + + +## Configure Home button +[!INCLUDE [configure-home-button-include.md](../includes/configure-home-button-include.md)] + +## Set Home button URL +[!INCLUDE [set-home-button-url-include](../includes/set-home-button-url-include.md)] + +## Unlock Home button +[!INCLUDE [unlock-home-button-include.md](../includes/unlock-home-button-include.md)] + diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml new file mode 100644 index 0000000000..1918d89136 --- /dev/null +++ b/browsers/edge/group-policies/index.yml @@ -0,0 +1,231 @@ +### YamlMime:YamlDocument + +documentType: LandingData + +title: Microsoft Edge group policies + +metadata: + + document_id: + + title: Microsoft Edge group policies + + description: Learn how to configure group policies in Microsoft Edge on Windows 10. + + text: Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + + keywords: Microsoft Edge, Windows 10, Windows 10 Mobile + + ms.localizationpriority: medium + + author: shortpatti + + ms.author: pashort + + ms.date: 07/26/2018 + + ms.topic: article + + ms.devlang: na + +sections: + +- title: + +- items: + + - type: markdown + + text: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. + +- items: + + - type: list + + style: cards + + className: cardsE + + columns: 3 + + items: + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies + + html:

View all available group policies for Microsoft Edge on Windows 10.

+ + image: + + src: https://docs.microsoft.com/media/common/i_policy.svg + + title: All group policies + + - href: address-bar-settings-gp + + html:

Learn how you can configure Microsoft Edge to show search suggestions in the address bar.

+ + image: + + src: https://docs.microsoft.com/media/common/i_http.svg + + title: Address bar settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/adobe-settings-gp + + html:

Learn how you can configure Microsoft Edge to load Adobe Flash content automatically.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Adobe Flash settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/books-library-management-gp + + html:

Learn how you can set up and use the books library, such as using a shared books folder for students and teachers.

+ + image: + + src: https://docs.microsoft.com/media/common/i_library.svg + + title: Books library management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/browser-settings-management-gp + + html:

Learn how you can customize the browser settings, such as printing and saving browsing history, plus more.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Browser settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy + + html:

Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.

+ + image: + + src: https://docs.microsoft.com/media/common/i_categorize.svg + + title: Deploy Microsoft Edge kiosk mode + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/developer-settings-gp + + html:

Learn how configure Microsoft Edge for development and testing.

+ + image: + + src: https://docs.microsoft.com/media/common/i_config-tools.svg + + title: Developer tools & settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + + html:

Learn how you use Microsoft Edge and Internet Explorer together for a full browsing experience.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Enterprise mode + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/extensions-management-gp + + html:

Learn how you can configure Microsoft Edge to either prevent or allow users to install and run unverified extensions.

+ + image: + + src: https://docs.microsoft.com/media/common/i_extensions.svg + + title: Extensions management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/favorites-management-gp + + html:

Learn how you can provision a standard favorites list as well as keep the favorites lists in sync between IE11 and Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_link.svg + + title: Favorites management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/home-button-gp + + html:

Learn how you can customize the home button or hide it.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Home button settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/new-tab-page-settings-gp + + html:

Learn how to configure the New tab page in Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: New tab page settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/prelaunch-preload-gp + + html:

Learn how pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Prelaunch Microsoft Edge and preload tabs + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/search-engine-customization-gp + + html:

Learn how you can set the default search engine and configure additional ones.

+ + image: + + src: https://docs.microsoft.com/media/common/i_search.svg + + title: Search engine management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp + + html:

Learn how you can keep your environment and users safe from attacks.

+ + image: + + src: https://docs.microsoft.com/media/common/i_security-management.svg + + title: Security & privacy management + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/start-pages-gp + + html:

Learn how to configure the Start pages in Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Start page settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/sync-browser-settings-gp + + html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the the Sync your Settings toggle.

+ + image: + + src: https://docs.microsoft.com/media/common/i_sync.svg + + title: Sync browser settings + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp + + html:

Learn how you can configure Microsoft Edge to collect certain data.

+ + image: + + src: https://docs.microsoft.com/media/common/i_data-collection.svg + + title: Telemetry and data collection diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md new file mode 100644 index 0000000000..9168988d09 --- /dev/null +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -0,0 +1,58 @@ +--- +title: Microsoft Edge - Interoperability and enterprise guidance +description: +ms.author: pashort +author: shortpatti +ms.date: 07/23/2018 +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Interoperability and enterprise guidance +>*Supported versions: Microsoft Edge on Windows 10* + + +Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. + + +>[!TIP] +> If you are running an earlier version of Internet Explorer, then we recommend upgrading to IE11, so any legacy apps continue to work correctly. + +**Technology not supported by Microsoft Edge** +- ActiveX controls +- x-ua-compatible headers +- <meta> tags +- Legacy document modes + + + +>[!TIP] +>You can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](../emie-to-improve-compatibility.md). + + +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. + +Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. + +## Relevant group policies + +1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) +2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) +3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) +4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) + + +![Use Enterprise Mode with Microsoft Edge to improve compatibility](../images/use-enterprise-mode-with-microsoft-edge-sm.png) + +## Configure the Enterprise Mode Site List +[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] + +## Send all intranet sites to Internet Explorer 11 +[!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)] + +## Show message when opening sites in Internet Explorer +[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] + +## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge +[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md new file mode 100644 index 0000000000..c9058539c8 --- /dev/null +++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md @@ -0,0 +1,21 @@ +--- +title: Microsoft Edge - New tab page +description: Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. +ms.author: pashort +author: shortpatti +ms.date: 07/25/2018 +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + + +# New tab page +>*Supported versions: Microsoft Edge on Windows 10* + + +Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. + + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md new file mode 100644 index 0000000000..2cb49a9b01 --- /dev/null +++ b/browsers/edge/group-policies/prelaunch-preload-gp.md @@ -0,0 +1,38 @@ +--- +title: Microsoft Edge - Prelaunch and tab preload configuration options +description: Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. +ms.author: pashort +author: shortpatti +ms.date: 07/25/2018 +--- + +# Prelaunch Microsoft Edge and preload tabs in the background +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching. + +Additionally, Microsoft Edge preloads the Start and New tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab. You can also configure Microsoft Edge to prevent preloading of tabs. + + +## Relevant group policies + +- [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) +- [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) + + +## Configuration options + +![Only preload the Start and New tab pages during Windows startup](../images/preload-tabs-only-sm.png) + +![Prelauch Microsoft Edge and preload Start and New tab pages](../images/prelaunch-edge-and-preload-tabs-sm.png) + +![Only prelaunch Microsoft Edge during Windows startup](../images/prelaunch-edge-only-sm.png) + + + +## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +[!INCLUDE [allow-prelaunch-include](../includes/allow-prelaunch-include.md)] + +## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed +[!INCLUDE [allow-tab-preloading-include](../includes/allow-tab-preloading-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md new file mode 100644 index 0000000000..1ce3437a76 --- /dev/null +++ b/browsers/edge/group-policies/search-engine-customization-gp.md @@ -0,0 +1,31 @@ +--- +title: Microsoft Edge - Search engine customization +description: By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. +ms.author: pashort +author: shortpatti +ms.date: 07/25/2018 +--- + +# Search engine customization + +By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. You can also prevent users from making changes to the search engine settings. + +## Relevant group policies + +- [Set default search engine](#set-default-search-engine) +- [Allow search engine customization](#allow-search-engine-customization) +- [Configure additional search engines](#configure-additional-search-engines) + + +![Set default search engine configurations](../images/set-default-search-engine-v4-sm.png) + + +## Set default search engine +[!INCLUDE [set-default-search-engine-include](../includes/set-default-search-engine-include.md)] + +## Allow search engine customization +[!INCLUDE [allow-search-engine-customization-include](../includes/allow-search-engine-customization-include.md)] + +## Configure additional search engines +[!INCLUDE [configure-additional-search-engines-include](../includes/configure-additional-search-engines-include.md)] + diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md new file mode 100644 index 0000000000..a53fb2df7d --- /dev/null +++ b/browsers/edge/group-policies/security-privacy-management-gp.md @@ -0,0 +1,52 @@ +--- +title: Microsoft Edge - Security and privacy management +description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. +ms.author: pashort +author: shortpatti +ms.date: 07/27/2018 +--- + +# Security and privacy management +>*Supported versions: Microsoft Edge on Windows 10* + +Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. + +Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. + +The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components. + + + +## Configure cookies +[!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)] + +## Configure Password Manager +[!INCLUDE [configure-password-manager-include](../includes/configure-password-manager-include.md)] + +## Configure Windows Defender SmartScreen +[!INCLUDE [configure-windows-defender-smartscreen-include](../includes/configure-windows-defender-smartscreen-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for files +[!INCLUDE [prevent-bypassing-win-defender-files-include](../includes/prevent-bypassing-win-defender-files-include.md)] + +## Prevent bypassing Windows Defender SmartScreen prompts for sites +[!INCLUDE [prevent-bypassing-win-defender-sites-include](../includes/prevent-bypassing-win-defender-sites-include.md)] + +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include](../includes/prevent-certificate-error-overrides-include.md)] + +## Prevent using Localhost IP address for WebRTC +[!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)] + + + +| | | +|---|---| +| **[Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Authenticates the user and the website with asymmetric cryptography technology. Microsoft Edge natively supports Windows Hello as a more personal, seamless, and secure way to authenticate on the web, powered by an early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/). | +| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any site that is thought to be a phishing site. SmartScreen also helps to defend against installing malicious software or file downloads, even from trusted sites. | +| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically. | +| **Microsoft EdgeHTML** | Defends against hacking through the following security standards features: | +| **Code integrity and image loading restrictions** | Prevents malicious DLLs from loading or injecting into the content processes. Only signed images are allowed to load in Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can't load. | +| **Memory corruption mitigations** | Defends against memory corruption weaknesses and vulnerabilities with the use of [CWE-416: Use After Free](http://cwe.mitre.org/data/definitions/416.html) (UAF). | +| **Memory Garbage Collector (MemGC) mitigation** | Replaces Memory Protector and helps to defend the browser from UAF vulnerabilities by freeing memory from the programmer and automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory. | +| **Control Flow Guard** | Compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only going to function entry points with known addresses. Control Flow Guard is a Microsoft Visual Studio technology. | \ No newline at end of file diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md new file mode 100644 index 0000000000..ddb428bcc4 --- /dev/null +++ b/browsers/edge/group-policies/start-pages-gp.md @@ -0,0 +1,49 @@ +--- +title: Microsoft Edge - Start pages +description: Configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. +ms.author: pashort +author: shortpatti +ms.date: 07/25/2018 +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Start pages configuration options +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +Microsoft Edge loads the pages specified in App settings as the default Start pages. You can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. + +## Relevant group policies + +- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) +- [Configure Start Pages](#configure-start-pages) +- [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages) + + +![Load URLs defined in Configure Start Pages](../images/load-urls-defined-in-configure-open-edge-with-main-sm.png) + + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include](../includes/configure-open-edge-with-include.md)] + +## Configure Start Pages +[!INCLUDE [configure-start-pages-include](../includes/configure-start-pages-include.md)] + +## Disable Lockdown of Start pages +[!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)] + + +### Configuration options + +| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** | +| --- | --- | --- | --- | +| Enabled (applies to all options) | Enabled – String | Enabled (all configured start pages are editable) | Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to make changes. | +| Disabled or not configured | Enabled – String | Enabled (any Start page configured in the Configured Start Pages policy) | Load any start page and let users make changes .| +| Enabled (Start page) | Enabled – String | Blank or not configured | Load Start page(s) and prevent users from making changes. | +| Enabled (New tab page) | Enabled – String | Blank or not configured | Load New tab page and prevent users from making changes. | +| Enabled (Previous pages) | Enabled – String | Blank or not configured | Load previously opened pages and prevent users from making changes. | +| Enabled (A specific page or pages) | Enabled – String | Blank or not configured | Load a specific page or pages and prevent users from making changes. | +| Enabled (A specific page or pages) | Enabled – String | Enabled (any Start page configured in Configure Start Pages policy) | Load a specific page or pages and let users make changes. | +--- \ No newline at end of file diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md new file mode 100644 index 0000000000..9ce7fd31fd --- /dev/null +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -0,0 +1,38 @@ +--- +title: Microsoft Edge - Sync browser settings options +description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. +ms.author: pashort +author: shortpatti +ms.date: 08/06/2018 +--- + +# Sync browser settings options +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. + + +## Relevant policies +- [Do not sync browser settings](#do-not-sync-browser-settings) +- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing) + + +## Configuration options + +![Sync browser settings automatically](../images/sync-browser-settings-automatically-sm.png) + +![Prevent syncing of browser settings](../images/prevent-syncing-browser-settings-sm.png) + + +## Verify the configuration +To verify if syncing is turned on or off: +1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). +2. Click **Settings**. +3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) + + +## Do not sync browser settings +[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/telemetry-management-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md new file mode 100644 index 0000000000..dac652e949 --- /dev/null +++ b/browsers/edge/group-policies/telemetry-management-gp.md @@ -0,0 +1,27 @@ +--- +title: Microsoft Edge - Telemetry and data collection +description: +ms.author: pashort +author: shortpatti +ms.date: 07/29/2018 +--- + +# Telemetry and data collection +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)] + + + +## Configure Do Not Track +[!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)] + + +## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +[!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)] \ No newline at end of file diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md index 81c4a2c980..307e1293de 100644 --- a/browsers/edge/hardware-and-software-requirements.md +++ b/browsers/edge/hardware-and-software-requirements.md @@ -1,13 +1,13 @@ --- description: Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa -author: eross-msft +author: shortpatti ms.prod: edge ms.mktglfcycl: support ms.sitesec: library ms.pagetype: appcompat title: Microsoft Edge requirements and language support (Microsoft Edge for IT Pros) -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/browsers/edge/images/148766.png b/browsers/edge/images/148766.png new file mode 100644 index 0000000000..cf568656a7 Binary files /dev/null and b/browsers/edge/images/148766.png differ diff --git a/browsers/edge/images/148767.png b/browsers/edge/images/148767.png new file mode 100644 index 0000000000..7f8b92a620 Binary files /dev/null and b/browsers/edge/images/148767.png differ diff --git a/browsers/edge/images/Multi-app_kiosk_inFrame.png b/browsers/edge/images/Multi-app_kiosk_inFrame.png new file mode 100644 index 0000000000..a1c62f8ffe Binary files /dev/null and b/browsers/edge/images/Multi-app_kiosk_inFrame.png differ diff --git a/browsers/edge/images/Normal_inFrame.png b/browsers/edge/images/Normal_inFrame.png new file mode 100644 index 0000000000..fccb0d4e56 Binary files /dev/null and b/browsers/edge/images/Normal_inFrame.png differ diff --git a/browsers/edge/images/SingleApp_contosoHotel_inFrame.png b/browsers/edge/images/SingleApp_contosoHotel_inFrame.png new file mode 100644 index 0000000000..b7dfc0ee28 Binary files /dev/null and b/browsers/edge/images/SingleApp_contosoHotel_inFrame.png differ diff --git a/browsers/edge/images/allow-smart-screen-validation.PNG b/browsers/edge/images/allow-smart-screen-validation.PNG new file mode 100644 index 0000000000..f118ea8b9c Binary files /dev/null and b/browsers/edge/images/allow-smart-screen-validation.PNG differ diff --git a/browsers/edge/images/check-gn.png b/browsers/edge/images/check-gn.png new file mode 100644 index 0000000000..8aab16a59a Binary files /dev/null and b/browsers/edge/images/check-gn.png differ diff --git a/browsers/edge/images/config-enterprise-site-list.png b/browsers/edge/images/config-enterprise-site-list.png new file mode 100644 index 0000000000..82ffc30895 Binary files /dev/null and b/browsers/edge/images/config-enterprise-site-list.png differ diff --git a/browsers/edge/images/config-open-me-with-scenarios-tab.PNG b/browsers/edge/images/config-open-me-with-scenarios-tab.PNG new file mode 100644 index 0000000000..0e39d589d5 Binary files /dev/null and b/browsers/edge/images/config-open-me-with-scenarios-tab.PNG differ diff --git a/browsers/edge/images/enterprise-mode-value-data.png b/browsers/edge/images/enterprise-mode-value-data.png new file mode 100644 index 0000000000..9e9ece9c1a Binary files /dev/null and b/browsers/edge/images/enterprise-mode-value-data.png differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4-sm.png b/browsers/edge/images/home-buttom-custom-url-v4-sm.png new file mode 100644 index 0000000000..397b46c75b Binary files /dev/null and b/browsers/edge/images/home-buttom-custom-url-v4-sm.png differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4.png b/browsers/edge/images/home-buttom-custom-url-v4.png new file mode 100644 index 0000000000..db47a93117 Binary files /dev/null and b/browsers/edge/images/home-buttom-custom-url-v4.png differ diff --git a/browsers/edge/images/home-button-hide-v4-sm.png b/browsers/edge/images/home-button-hide-v4-sm.png new file mode 100644 index 0000000000..b8adce292b Binary files /dev/null and b/browsers/edge/images/home-button-hide-v4-sm.png differ diff --git a/browsers/edge/images/home-button-hide-v4.png b/browsers/edge/images/home-button-hide-v4.png new file mode 100644 index 0000000000..ef43ce6f77 Binary files /dev/null and b/browsers/edge/images/home-button-hide-v4.png differ diff --git a/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png b/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png new file mode 100644 index 0000000000..7b04f17b28 Binary files /dev/null and b/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png differ diff --git a/browsers/edge/images/home-button-start-new-tab-page-v4.png b/browsers/edge/images/home-button-start-new-tab-page-v4.png new file mode 100644 index 0000000000..599ebeb8df Binary files /dev/null and b/browsers/edge/images/home-button-start-new-tab-page-v4.png differ diff --git a/browsers/edge/images/icon-thin-line-computer.png b/browsers/edge/images/icon-thin-line-computer.png new file mode 100644 index 0000000000..e941caf0c1 Binary files /dev/null and b/browsers/edge/images/icon-thin-line-computer.png differ diff --git a/browsers/edge/images/kiosk-mode-types.png b/browsers/edge/images/kiosk-mode-types.png new file mode 100644 index 0000000000..1ae43b31ac Binary files /dev/null and b/browsers/edge/images/kiosk-mode-types.png differ diff --git a/browsers/edge/images/load-any-start-page-let-users-make-changes.png b/browsers/edge/images/load-any-start-page-let-users-make-changes.png new file mode 100644 index 0000000000..fd4caf021e Binary files /dev/null and b/browsers/edge/images/load-any-start-page-let-users-make-changes.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png new file mode 100644 index 0000000000..eb3987003d Binary files /dev/null and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png new file mode 100644 index 0000000000..bf4dc617aa Binary files /dev/null and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png new file mode 100644 index 0000000000..eacac1b216 Binary files /dev/null and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png new file mode 100644 index 0000000000..eacac1b216 Binary files /dev/null and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png differ diff --git a/browsers/edge/images/microsoft-edge-kiosk-mode.png b/browsers/edge/images/microsoft-edge-kiosk-mode.png new file mode 100644 index 0000000000..ec794911b7 Binary files /dev/null and b/browsers/edge/images/microsoft-edge-kiosk-mode.png differ diff --git a/browsers/edge/images/multi-app-kiosk-mode.PNG b/browsers/edge/images/multi-app-kiosk-mode.PNG new file mode 100644 index 0000000000..fd924f92b0 Binary files /dev/null and b/browsers/edge/images/multi-app-kiosk-mode.PNG differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png new file mode 100644 index 0000000000..823309be3e Binary files /dev/null and b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png new file mode 100644 index 0000000000..a287ebb8fd Binary files /dev/null and b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png differ diff --git a/browsers/edge/images/prelaunch-edge-only-sm.png b/browsers/edge/images/prelaunch-edge-only-sm.png new file mode 100644 index 0000000000..365bddf96a Binary files /dev/null and b/browsers/edge/images/prelaunch-edge-only-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-only.png b/browsers/edge/images/prelaunch-edge-only.png new file mode 100644 index 0000000000..975a745f3f Binary files /dev/null and b/browsers/edge/images/prelaunch-edge-only.png differ diff --git a/browsers/edge/images/preload-tabs-only-sm.png b/browsers/edge/images/preload-tabs-only-sm.png new file mode 100644 index 0000000000..32089d3fce Binary files /dev/null and b/browsers/edge/images/preload-tabs-only-sm.png differ diff --git a/browsers/edge/images/preload-tabs-only.png b/browsers/edge/images/preload-tabs-only.png new file mode 100644 index 0000000000..01181d6b82 Binary files /dev/null and b/browsers/edge/images/preload-tabs-only.png differ diff --git a/browsers/edge/images/prevent-syncing-browser-settings-sm.png b/browsers/edge/images/prevent-syncing-browser-settings-sm.png new file mode 100644 index 0000000000..7bcdfcdc8c Binary files /dev/null and b/browsers/edge/images/prevent-syncing-browser-settings-sm.png differ diff --git a/browsers/edge/images/prevent-syncing-browser-settings.png b/browsers/edge/images/prevent-syncing-browser-settings.png new file mode 100644 index 0000000000..6f98dc6c22 Binary files /dev/null and b/browsers/edge/images/prevent-syncing-browser-settings.png differ diff --git a/browsers/edge/images/set-default-search-engine-v4-sm.png b/browsers/edge/images/set-default-search-engine-v4-sm.png new file mode 100644 index 0000000000..44a5ae094a Binary files /dev/null and b/browsers/edge/images/set-default-search-engine-v4-sm.png differ diff --git a/browsers/edge/images/set-default-search-engine-v4.png b/browsers/edge/images/set-default-search-engine-v4.png new file mode 100644 index 0000000000..59528a3282 Binary files /dev/null and b/browsers/edge/images/set-default-search-engine-v4.png differ diff --git a/browsers/edge/images/single-app-kiosk-mode.PNG b/browsers/edge/images/single-app-kiosk-mode.PNG new file mode 100644 index 0000000000..a939973c62 Binary files /dev/null and b/browsers/edge/images/single-app-kiosk-mode.PNG differ diff --git a/browsers/edge/images/sync-browser-settings-automatically-sm.png b/browsers/edge/images/sync-browser-settings-automatically-sm.png new file mode 100644 index 0000000000..25b68500d5 Binary files /dev/null and b/browsers/edge/images/sync-browser-settings-automatically-sm.png differ diff --git a/browsers/edge/images/sync-browser-settings-automatically.png b/browsers/edge/images/sync-browser-settings-automatically.png new file mode 100644 index 0000000000..3f81196ebc Binary files /dev/null and b/browsers/edge/images/sync-browser-settings-automatically.png differ diff --git a/browsers/edge/images/sync-settings.PNG b/browsers/edge/images/sync-settings.PNG new file mode 100644 index 0000000000..5c72626abd Binary files /dev/null and b/browsers/edge/images/sync-settings.PNG differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png new file mode 100644 index 0000000000..e443c71bda Binary files /dev/null and b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png new file mode 100644 index 0000000000..8a9b11ff19 Binary files /dev/null and b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png differ diff --git a/browsers/edge/img-microsoft-edge-infographic-lg.md b/browsers/edge/img-microsoft-edge-infographic-lg.md index e9d8b67cc2..cb3a42f1b9 100644 --- a/browsers/edge/img-microsoft-edge-infographic-lg.md +++ b/browsers/edge/img-microsoft-edge-infographic-lg.md @@ -2,6 +2,8 @@ description: A full-sized view of the Microsoft Edge infographic. title: Full-sized view of the Microsoft Edge infographic ms.date: 11/10/2016 +ms.author: pashort +author: shortpatti --- Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
diff --git a/browsers/edge/includes/allow-address-bar-suggestions-include.md b/browsers/edge/includes/allow-address-bar-suggestions-include.md new file mode 100644 index 0000000000..44e9bc5c02 --- /dev/null +++ b/browsers/edge/includes/allow-address-bar-suggestions-include.md @@ -0,0 +1,41 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-address-bar-drop-down-shortdesc](../shortdesc/allow-address-bar-drop-down-shortdesc.md)] + + +### Supported values + +>[!div class="mx-tableFixed"] +>|Group Policy |MDM |Registry |Description |Most restricted | +>|---|:---:|:---:|---|:---:| +>|Disabled |0 |0 |Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings. |![Most restricted value](../images/check-gn.png) | +>|Enabled or not configured **(default)** |1 |1 |Allowed. Show the Address bar drop-down list and make it available. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Address bar drop-down list suggestions +- **GP name:** AllowAddressBarDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowaddressbardropdown) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI +- **Value name:** ShowOneBox +- **Value type:** REG_DWORD + + +### Related policies + +[Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +

\ No newline at end of file diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md new file mode 100644 index 0000000000..b8cdb50808 --- /dev/null +++ b/browsers/edge/includes/allow-adobe-flash-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-adobe-flash-shortdesc](../shortdesc/allow-adobe-flash-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled |0 |0 |Prevented/not allowed | +|Enabled **(default)** |1 |1 |Allowed | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Adobe Flash +- **GP name:** AllowFlash +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowflash) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Addons +- **Value name:** FlashPlayerEnabled +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-clearing-browsing-data-include.md b/browsers/edge/includes/allow-clearing-browsing-data-include.md new file mode 100644 index 0000000000..6f1432ed53 --- /dev/null +++ b/browsers/edge/includes/allow-clearing-browsing-data-include.md @@ -0,0 +1,36 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Prevented/not allowed)* + +[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] + +### Supported values + +>[!div class="mx-tableFixed"] +>|Group Policy |MDM |Registry |Description |Most restricted | +>|---|:---:|:---:|---|:---:| +>|Disabled or not configured **(default)** |0 |0 |Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. | | +>|Enabled |1 |1 |Allowed. Clear the browsing data upon exit automatically. |![Most restricted value](../images/check-gn.png) | +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow clearing browsing data on exit +- **GP name:** AllowClearingBrowsingDataOnExit +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-clearbrowsingdataonexit) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit +- **Data type:** Integer + +#### *Registry +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy +- **Value name:** ClearBrowsingHistoryOnExit +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md new file mode 100644 index 0000000000..325293262e --- /dev/null +++ b/browsers/edge/includes/allow-config-updates-books-include.md @@ -0,0 +1,38 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow configuration updates for the Books Library +- **GP name:** AllowConfigurationUpdateForBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary +- **Value name:** AllowConfigurationUpdateForBooksLibrary +- **Value type:** REG_DWORD + +### Related topics + +[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) +

+

diff --git a/browsers/edge/includes/allow-cortana-include.md b/browsers/edge/includes/allow-cortana-include.md new file mode 100644 index 0000000000..a175001e68 --- /dev/null +++ b/browsers/edge/includes/allow-cortana-include.md @@ -0,0 +1,35 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-cortana-shortdesc](../shortdesc/allow-cortana-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed. Users can still search to find items on their device. |![Most restricted value](../images/check-gn.png) | +|Enabled
**(default)** |1 |1 |Allowed. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Cortana +- **GP name:** AllowCortana +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Experience/[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) +- **Supported devices:** Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\Windows\Windows Search +- **Value name:** AllowCortana +- **Value type:** REG_DWORD + +
+ diff --git a/browsers/edge/includes/allow-dev-tools-include.md b/browsers/edge/includes/allow-dev-tools-include.md new file mode 100644 index 0000000000..919b4a9968 --- /dev/null +++ b/browsers/edge/includes/allow-dev-tools-include.md @@ -0,0 +1,36 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] + + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed | | +--- + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Developer Tools +- **GP name:** AllowDeveloperTools +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) +- **Supported devices:** Desktop +- **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\F12 +- **Value name:** AllowDeveloperTools +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-enable-book-library-include.md b/browsers/edge/includes/allow-enable-book-library-include.md new file mode 100644 index 0000000000..1018a1cdd6 --- /dev/null +++ b/browsers/edge/includes/allow-enable-book-library-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured* + +[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Show the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Show the Books Library, regardless of the device’s country or region. | | +--- +### ADMX info and settings + +#### ADMX info +- **GP English name:** Always show the Books Library in Microsoft Edge +- **GP name:** AlwaysEnableBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[Browser/AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AlwaysEnableBooksLibrary +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md new file mode 100644 index 0000000000..96da415a28 --- /dev/null +++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md @@ -0,0 +1,35 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*
+>*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* + +[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Depending on the device configuration, Microsoft Edge gathers only basic diagnostic data. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Gathers both basic and additional diagnostic data. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow extended telemetry for the Books tab +- **GP name:** EnableExtendedBooksTelemetry +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Value name:** EnableExtendedBooksTelemetry +- **Value type:** REG_DWORD + + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-extensions-include.md b/browsers/edge/includes/allow-extensions-include.md new file mode 100644 index 0000000000..95895b9817 --- /dev/null +++ b/browsers/edge/includes/allow-extensions-include.md @@ -0,0 +1,39 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-extensions-shortdesc](../shortdesc/allow-extensions-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled |0 |0 |Prevented/not allowed | +|Enabled or not configured
**(default)** |1 |1 |Allowed | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Extensions +- **GP name:** AllowExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Extensions +- **Value name:** ExtensionsEnabled +- **Value type:** REG_DWORD + +### Related topics + +[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): +This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-full-screen-include.md b/browsers/edge/includes/allow-full-screen-include.md new file mode 100644 index 0000000000..b7fc715298 --- /dev/null +++ b/browsers/edge/includes/allow-full-screen-include.md @@ -0,0 +1,36 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Allowed)* + + +[!INCLUDE [allow-fullscreen-mode-shortdesc](../shortdesc/allow-fullscreen-mode-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow fullscreen mode +- **GP name:** AllowFullScreenMode +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFullscreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** AllowFullScreenMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-inprivate-browsing-include.md b/browsers/edge/includes/allow-inprivate-browsing-include.md new file mode 100644 index 0000000000..727ded18a6 --- /dev/null +++ b/browsers/edge/includes/allow-inprivate-browsing-include.md @@ -0,0 +1,36 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Enabled or not configured (Allowed)* + + +[!INCLUDE [allow-inprivate-browsing-shortdesc](../shortdesc/allow-inprivate-browsing-shortdesc.md)] + + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow InPrivate browsing +- **GP name:** AllowInPrivate +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowInPrivate +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md new file mode 100644 index 0000000000..aabd2fb773 --- /dev/null +++ b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Compatibility List +- **GP name:** AllowCVList +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation +- **Value name:** MSCompatibilityMode +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-prelaunch-include.md b/browsers/edge/includes/allow-prelaunch-include.md new file mode 100644 index 0000000000..4721684c1f --- /dev/null +++ b/browsers/edge/includes/allow-prelaunch-include.md @@ -0,0 +1,40 @@ + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restrictive value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- +### Configuration options + +For more details about configuring the prelaunch and preload options, see [Prelaunch Microsoft Edge and preload tabs in the background](../group-policies/prelaunch-preload-gp.md). + + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +- **GP name:** AllowPreLaunch +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\ +- **Value name:** AllowPrelaunch +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-printing-include.md b/browsers/edge/includes/allow-printing-include.md new file mode 100644 index 0000000000..e6bea96847 --- /dev/null +++ b/browsers/edge/includes/allow-printing-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restrictive value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow printing +- **GP name:** AllowPrinting +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrinting +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowPrinting +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-saving-history-include.md b/browsers/edge/includes/allow-saving-history-include.md new file mode 100644 index 0000000000..f9d38d178e --- /dev/null +++ b/browsers/edge/includes/allow-saving-history-include.md @@ -0,0 +1,36 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow saving history +- **GP name:** AllowSavingHistory +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowSavingHistory +- **Value type:** REG_DWORD + + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-search-engine-customization-include.md b/browsers/edge/includes/allow-search-engine-customization-include.md new file mode 100644 index 0000000000..70eb67b646 --- /dev/null +++ b/browsers/edge/includes/allow-search-engine-customization-include.md @@ -0,0 +1,52 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed | | +--- + +### Configuration options + +For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). + +### ADMX info and settings + +##### ADMX info +- **GP English name:** Allow search engine customization +- **GP name:** AllowSearchEngineCustomization +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization +- **Data type:** Integer + + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Protected +- **Value name:** AllowSearchEngineCustomization +- **Value type:** REG_DWORD + + +### Related policies + +- [Set default search engine](../available-policies.md#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +### Related topics + +- [!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] + +- [!INCLUDE [search-provider-discovery-shortdesc-include](search-provider-discovery-shortdesc-include.md)] + +
\ No newline at end of file diff --git a/browsers/edge/includes/allow-shared-folder-books-include.md b/browsers/edge/includes/allow-shared-folder-books-include.md new file mode 100644 index 0000000000..16ea570af7 --- /dev/null +++ b/browsers/edge/includes/allow-shared-folder-books-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1803*
+>*Default setting: Disabled or not configured (Not allowed)* + +[!INCLUDE [allow-a-shared-books-folder-shortdesc](../shortdesc/allow-a-shared-books-folder-shortdesc.md)] + +### Supported values +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed. Microsoft Edge downloads book files to a shared folder.| | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow a shared Books folder +- **GP name:** UseSharedFolderForBooks +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Value name:** UseSharedFolderForBooks +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md new file mode 100644 index 0000000000..0ad2b3c542 --- /dev/null +++ b/browsers/edge/includes/allow-sideloading-extensions-include.md @@ -0,0 +1,44 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled (Allowed)* + +[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured |0 |0 |Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, enable **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** policy, located at Windows Components > App Package Deployment.

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |![Most restricted value](../images/check-gn.png) | +|Enabled
**(default)** |1 |1 |Allowed. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow sideloading of Extensions +- **GP name:** AllowSideloadingOfExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSideloadingExtensions +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Value name:** AllowSideloadingOfExtensions +- **Value type:** REG_DWORD + +### Related policies + +- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE. + +- [Allow all trusted apps to install](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. + +### Related topics + +[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. + +

\ No newline at end of file diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md new file mode 100644 index 0000000000..b09c405754 --- /dev/null +++ b/browsers/edge/includes/allow-tab-preloading-include.md @@ -0,0 +1,39 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1802*
+>*Default setting: Enabled or not configured (Allowed)* + +[!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed. Preload Start and New tab pages. | | +--- + + +### Configuration options + +For more details about configuring the prelaunch and preload options, see [Prelaunch Microsoft Edge and preload tabs in the background](../group-policies/prelaunch-preload-gp.md). + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow Microsoft Edge to load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed +- **GP name:** AllowTabPreloading +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader +- **Value name:** AllowTabPreloading +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md new file mode 100644 index 0000000000..f696d40ceb --- /dev/null +++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md @@ -0,0 +1,37 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Default New tab page loads)* + + +[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Not configured |Blank |Blank |Users can choose what loads on the New tab page. | +|Disabled |0 |0 |Load a blank page instead of the default New tab page and prevent users from changing it. | +|Enabled **(default)** |1 |1 |Load the default New tab page. | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Allow web content on New Tab page +- **GP name:** AllowWebContentOnNewTabPage +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI +- **Value name:** AllowWebContentOnNewTabPage +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/always-enable-book-library-include.md b/browsers/edge/includes/always-enable-book-library-include.md new file mode 100644 index 0000000000..d5f292b182 --- /dev/null +++ b/browsers/edge/includes/always-enable-book-library-include.md @@ -0,0 +1,35 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured* + + +[!INCLUDE [always-show-books-library-shortdesc](../shortdesc/always-show-books-library-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Show the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Show the Books Library, regardless of the device’s country or region. | | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Always show the Books Library in Microsoft Edge +- **GP name:** AlwaysEnableBooksLibrary +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AlwaysEnableBooksLibrary +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/browser-extension-policy-shortdesc-include.md b/browsers/edge/includes/browser-extension-policy-shortdesc-include.md new file mode 100644 index 0000000000..4a64abb65c --- /dev/null +++ b/browsers/edge/includes/browser-extension-policy-shortdesc-include.md @@ -0,0 +1 @@ +[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file diff --git a/browsers/edge/includes/configure-additional-search-engines-include.md b/browsers/edge/includes/configure-additional-search-engines-include.md new file mode 100644 index 0000000000..0615a1b9a5 --- /dev/null +++ b/browsers/edge/includes/configure-additional-search-engines-include.md @@ -0,0 +1,52 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Prevented/not allowed)* + +[!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.

If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | +--- + + +### Configuration options + +For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure additional search engines +- **GP name:** ConfigureAdditionalSearchEngines +- **GP element:** ConfigureAdditionalSearchEngines_Prompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Value name:** ConfigureAdditionalSearchEngines +- **Value type:** REG_SZ + +### Related policies + +- [Set default search engine](../available-policies.md\#set-default-search-engine): [!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + + +### Related topics + +- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. + +- [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. + +

\ No newline at end of file diff --git a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md new file mode 100644 index 0000000000..c1a93a7712 --- /dev/null +++ b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Enabled or not configured (Does not load content automatically)* + +[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled |0 |0 |Load and run Adobe Flash content automatically. | | +|Enabled or not configured
**(default)** |1 |1 |Do not load or run Adobe Flash content automatically. Requires action from the user. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Configure the Adobe Flash Click-to-Run setting +- **GP name:** AllowFlashClickToRun +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Security +- **Value name:** FlashClickToRunMode +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-allow-flash-url-list-include.md b/browsers/edge/includes/configure-allow-flash-url-list-include.md new file mode 100644 index 0000000000..1f13125cd7 --- /dev/null +++ b/browsers/edge/includes/configure-allow-flash-url-list-include.md @@ -0,0 +1,36 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting:* + +[!INCLUDE [configure-allow-flash-for-url-list-shortdesc](../shortdesc/configure-allow-flash-for-url-list-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +| | | | | | +| | | | | | +| | | | | | +--- + +![Most restricted value](../images/check-gn.png) + +### ADMX info and settings +#### ADMX info +- **GP English name:** +- **GP name:** +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[]() +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\ +- **Value name:** +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md new file mode 100644 index 0000000000..5d4adef785 --- /dev/null +++ b/browsers/edge/includes/configure-autofill-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured* + +[!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured
**(default)** | Blank |Blank |Users can choose to use AutoFill. | | +|Disabled | 0 | no | Prevented. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |yes | Allowed. | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Autofill +- **GP name:** AllowAutofill +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowautofill) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** Use FormSuggest +- **Value type:** REG_SZ + +
diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md new file mode 100644 index 0000000000..755c437c3f --- /dev/null +++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md @@ -0,0 +1,54 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (No data collected or sent)* + +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] + + +>[!IMPORTANT] +>For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID. + +### Supported values + +>[!div class="mx-tableFixed"] +>|Group Policy |MDM |Registry |Description |Most restricted | +>|---|:---:|:---:|---|:---:| +>|Disabled or not configured
**(default)** |0 |0 |No data collected or sent |![Most restricted value](../images/check-gn.png) | +>|Enabled |1 |1 |Send intranet history only | | +>|Enabled |2 |2 |Send Internet history only | | +>|Enabled |3 |3 |Send both intranet and Internet history | | +--- + +>>You can find this policy and the related policies in the following location of the Group Policy Editor: +>> +>>**_Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\_** +>> + + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure collection of browsing data for Microsoft 365 Analytics +- **GP name:** ConfigureTelemetryForMicrosoft365Analytics +- **GP element:** ZonesListBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + + +#### MDM settings +- **MDM name:** Browser/[ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection +- **Value name:** MicrosoftEdgeDataOptIn +- **Value type:** REG_DWORD + +### Related policies +- Allow Telemetry: Allows Microsoft to run diagnostics on the device and troubleshoot. The default setting for Allow Telemetry is set to _Enhanced_ (2 for MDM). + +- Configure the Commercial ID: Define the Commercial ID used to associate the device's telemetry data as belonging to a given organization. + +
diff --git a/browsers/edge/includes/configure-cookies-include.md b/browsers/edge/includes/configure-cookies-include.md new file mode 100644 index 0000000000..f89816f8d8 --- /dev/null +++ b/browsers/edge/includes/configure-cookies-include.md @@ -0,0 +1,35 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allow all cookies from all sites)* + +[!INCLUDE [configure-cookies-shortdesc](../shortdesc/configure-cookies-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Enabled |0 |0 |Block all cookies from all sites |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Block only coddies from third party websites | | +|Disabled or not configured
**(default)** |2 |2 |Allow all cookies from all sites | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure cookies +- **GP name:** Cookies +- **GP element:** CookiesListBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowcookies) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** Cookies +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md new file mode 100644 index 0000000000..95011f3a6b --- /dev/null +++ b/browsers/edge/includes/configure-do-not-track-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured (Do not send tracking information)* + +[!INCLUDE [configure-do-not-track-shortdesc](../shortdesc/configure-do-not-track-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured
**(default)** |Blank |Blank |Do not send tracking information but let users choose to send tracking information to sites they visit. | | +|Disabled |1 |1 |Never send tracking information. | | +|Enabled |1 |1 |Send tracking information. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Do Not Track +- **GP name:** AllowDoNotTrack +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** DoNotTrack +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md new file mode 100644 index 0000000000..44539d481e --- /dev/null +++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md @@ -0,0 +1,46 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: 5 minutes* + +[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + +You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). + +### Supported values + +- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. + +- **0** – No idle timer. + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure kiosk reset after idle timeout +- **GP name:** ConfigureKioskResetAfterIdleTimeout +- **GP element:** ConfigureKioskResetAfterIdleTimeout_TextBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- **Value name:**ConfigureKioskResetAfterIdleTimeout +- **Value type:** REG_DWORD + + + +### Related policies + +[Configure kiosk mode](../new-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] + + + +### Related topics +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience. + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md new file mode 100644 index 0000000000..6816cc3d29 --- /dev/null +++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md @@ -0,0 +1,55 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured* + + +[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |0 |0 |Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. | +|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | +--- + +### ADMX info and settings + +#### ADMX info +- **GP English name:** Configure the Enterprise Mode Site List +- **GP name:** EnterpriseModeSiteList +- **GP element:** EnterSiteListPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList +- **Data type:** String + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode +- **Value name:** SiteList +- **Value type:** REG_SZ + +### Related Policies + +[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE +[show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + +### Related topics + +- [Use Enterprise Mode to improve compatibility](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility). If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. + +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +- [Enterprise Mode for Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +- [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). + +- [Enterprise Mode and the Enterprise Mode Site List XML file](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#enterprise-mode-and-the-enterprise-mode-site-list-xml-file). The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using Enterprise Mode Site List Manager (schema v.2), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your users can easily view this site list by typing about:compat in either Microsoft Edge or IE11. + + + +

\ No newline at end of file diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md new file mode 100644 index 0000000000..ffa1fff8c1 --- /dev/null +++ b/browsers/edge/includes/configure-favorites-bar-include.md @@ -0,0 +1,37 @@ + +>*Supported versions: Microsoft Edge on Windows 10, new major release* +>*Default setting: Not configured (Hidden)* + + +[!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)] + + +### Supported values + +>[!div class="mx-tableFixed"] +>|Group Policy |MDM |Registry |Description | +>|---|:---:|:---:|---| +>|Not configured **(default)** |Blank |Blank |Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. | +>|Disabled |0 |0 |Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | +>|Enabled |1 |1 |Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Favorites Bar +- **GP name:** ConfigureFavoritesBar +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** ConfigureFavoritesBar +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-favorites-include.md b/browsers/edge/includes/configure-favorites-include.md new file mode 100644 index 0000000000..4b4862fef7 --- /dev/null +++ b/browsers/edge/includes/configure-favorites-include.md @@ -0,0 +1,4 @@ + +>Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy in place of Configure Favorites. + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md new file mode 100644 index 0000000000..22ecd41552 --- /dev/null +++ b/browsers/edge/includes/configure-home-button-include.md @@ -0,0 +1,53 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Show home button and load the Start page)* + + +[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |0 |0 |Show home button and load the Start page. | +|Enabled |1 |1 |Show home button and load the New tab page. | +|Enabled |2 |2 |Show home button and load the custom URL defined in the Set Home button URL policy. | +|Enabled |3 |3 |Hide home button. | +--- + +### Configuration options + +For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md). + +>[!TIP] +>If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home button** policy or **Set Home button URL** policy.
  3. Disable the **Unlock Home Button** policy.
+ + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Home button +- **GP name:** ConfigureHomeButton +- **GP element:** ConfigureHomeButtonDropdown +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Set Home button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + +- [Unlock Home button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-inprivate-include.md b/browsers/edge/includes/configure-inprivate-include.md new file mode 100644 index 0000000000..c04c0d0150 --- /dev/null +++ b/browsers/edge/includes/configure-inprivate-include.md @@ -0,0 +1,32 @@ +## Configure InPrivate + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured + + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +| | | | | | +| | | | | | +| | | | | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** +- **GP name:** +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[]() +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\ +- **Value name:** +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md new file mode 100644 index 0000000000..034fd5b55e --- /dev/null +++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md @@ -0,0 +1,46 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Not configured* + +[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] + +For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). + +### Supported values + +| | | +|---|---| +|(0) Default or not configured | | +|(1) Enabled | | +--- + +![Microsoft Edge kiosk experience](../images/microsoft-edge-kiosk-mode.png) + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure kiosk mode +- **GP name:** ConfigureKioskMode +- **GP element:** ConfigureKioskMode_TextBox +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- **Value name:** ConfigureKioskMode +- **Value type:** REG_SZ + +### Related policies +[Configure kiosk reset after idle timeout](../new-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + + +### Related topics +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience. + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md new file mode 100644 index 0000000000..12b37c700d --- /dev/null +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -0,0 +1,61 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled (A specific page or pages)* + +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. + +**Version 1810:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

+ +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Not configured |Blank |Blank |If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | +|Enabled |0 |0 |Loads the Start page. | +|Enabled |1 |1 |Load the New tab page. | +|Enabled |2 |2 |Load the previous pages. | +|Enabled
**(default)** |3 |3 |Load a specific page or pages. | +--- + +### Configuration options + +For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md). + + +>[!TIP] +>If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
+ + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Open Microsoft Edge With +- **GP name:** ConfigureOpenMicrosoftEdgeWith +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureOpenEdgeWith +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + + + + + +--- \ No newline at end of file diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md new file mode 100644 index 0000000000..01ab2e2bea --- /dev/null +++ b/browsers/edge/includes/configure-password-manager-include.md @@ -0,0 +1,39 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Allowed/users can change the setting)* + +[!INCLUDE [configure-password-manager-shortdesc](../shortdesc/configure-password-manager-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured |Blank |Blank |Users can choose to save and manage passwords locally. | | +|Disabled |0 |no |Not allowed. |![Most restricted value](../images/check-gn.png) | +|Enabled
**(default)** |1 |yes |Allowed. | | +--- + +Verify not allowed/disabled settings: +1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap ellipses (…). +2. Click **Settings** and select **View Advanced settings**. +3. Verify the settings **Save Password** is toggled off or on and is greyed out. + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Password Manager +- **GP name:** AllowPasswordManager +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** FormSuggest Passwords +- **Value type:** REG_SZ + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md new file mode 100644 index 0000000000..0b63fbd96e --- /dev/null +++ b/browsers/edge/includes/configure-pop-up-blocker-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled (Turned off)* + +[!INCLUDE [configure-pop-up-blocker-shortdesc](../shortdesc/configure-pop-up-blocker-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured |Blank |Blank |Users can choose to use Pop-up Blocker. | | +|Disabled
**(default)** |0 |0 |Turn off Pop-up Blocker letting pop-up windows open. | | +|Enabled |1 |1 |Turn on Pop-up Blocker stopping pop-up windows from opening. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Pop-up Blocker +- **GP name:** AllowPopups +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups +- **Data type:** Integer + +### Registry +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** AllowPopups +- **Value type:** REG_SZ + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md new file mode 100644 index 0000000000..5ee81ccabb --- /dev/null +++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md @@ -0,0 +1,34 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured* + +[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured
**(default)** |Blank |Blank |Users can choose to see search suggestions. | | +|Disabled |0 |0 |Prevented/not allowed. Hide the search suggestions. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed. Show the search suggestions. | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure search suggestions in Address bar +- **GP name:** AllowSearchSuggestionsinAddressBar +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes +- **Value name:** ShowSearchSuggestionsGlobal +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md new file mode 100644 index 0000000000..4a5c023576 --- /dev/null +++ b/browsers/edge/includes/configure-start-pages-include.md @@ -0,0 +1,47 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Blank or not configured (Load pages specified in App settings)* + +[!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Not configured |Blank |Blank |Load the pages specified in App settings as the default Start pages. | +|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1810:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | +--- + +### Configuration options + +For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Start pages +- **GP name:** HomePages +- **GP element:** HomePagesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ProvisionedHomePages +- **Value type:** REG_SZ + + +### Related policies + +- [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages-include): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + +- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + + + +

\ No newline at end of file diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md new file mode 100644 index 0000000000..2baca3bc94 --- /dev/null +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -0,0 +1,40 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Turned on)* + +[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen or not. | | +|Disabled |0 |0 |Turned off. Do not protect users from potential threats and prevent users from turning it on. | | +|Enabled |1 |1 |Turned on. Protect users from potential threats and prevent users from turning it off. |![Most restricted value](../images/check-gn.png) | +--- + +To verify Windows Defender SmartScreen is turned off (disabled): +1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap the ellipses (**...**). +2. Click **Settings** and select **View Advanced Settings**. +3. At the bottom, verify that **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Configure Windows Defender SmartScreen +- **GP name:** AllowSmartScreen +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** EnabledV9 +- **Value type:** REG_DWORD + +

\ No newline at end of file diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md new file mode 100644 index 0000000000..dc266010e5 --- /dev/null +++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md @@ -0,0 +1,51 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Start pages are not editable)* + +[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured |0 |0 |Lockdown Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | +--- + +### Configuration options + +For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md). + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Disable lockdown of Start pages +- **GP name:** DisableLockdownOfStartPages +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** DisableLockdownOfStartPages +- **Value type:** REG_SZ + + + + + +### Related Policies +- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] + +- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +### Related topics + +[!INCLUDE [browser-extension-policy-shortdesc-include](browser-extension-policy-shortdesc-include.md)] + +

\ No newline at end of file diff --git a/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md b/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md new file mode 100644 index 0000000000..b1fc2dd88c --- /dev/null +++ b/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md @@ -0,0 +1,31 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured* + + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +| | | | | | +| | | | | | +| | | | | | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** +- **GP name:** +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[]() +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\ +- **Value name:** +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md new file mode 100644 index 0000000000..267812b6ac --- /dev/null +++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md @@ -0,0 +1,51 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Allowed/turned on)* + +[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | +|Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the _Sync your Settings_ option. | +--- + +### Configuration options + +For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md). + + + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Do not sync browser settings +- **GP name:** DoNotSyncBrowserSettings +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** SettingSync.admx + +#### MDM settings +- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\Policies\Microsoft\Windows\SettingSync +- **Value name:** DisableWebBrowserSettingSyncUserOverride +- **Value type:** REG_DWORD + + +### Related policies + +[Prevent users from turning on browser syncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + + + +### Related topics + +[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) +

+

diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md new file mode 100644 index 0000000000..8bd1b9e20f --- /dev/null +++ b/browsers/edge/includes/do-not-sync-include.md @@ -0,0 +1,37 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Turned on)* + +[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. Users can choose what to sync to their device. | | +|Enabled |2 |2 |Prevented/turned off. Disables the Sync your Settings toggle and prevents syncing. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Do not sync +- **GP name:** AllowSyncMySettings +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\Windows\SettingSync +- **Value name:** DisableSettingSyn +- **Value type:** REG_DWORD + +### Related topics +[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are sync'ed. + + +
\ No newline at end of file diff --git a/browsers/edge/includes/edge-respects-applocker-lists-include.md b/browsers/edge/includes/edge-respects-applocker-lists-include.md new file mode 100644 index 0000000000..3f6b0aa3ce --- /dev/null +++ b/browsers/edge/includes/edge-respects-applocker-lists-include.md @@ -0,0 +1,22 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured + + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +| | | | | | +| | | | | | +| | | | | | +--- + +### ADMX info and settings +| | | +|---|---| +|ADMX info | | +|MDM settings | | +|Registry | | +--- + + +--- \ No newline at end of file diff --git a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md new file mode 100644 index 0000000000..f724a38af6 --- /dev/null +++ b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md @@ -0,0 +1 @@ +[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. \ No newline at end of file diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md new file mode 100644 index 0000000000..ed4e9b1019 --- /dev/null +++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md @@ -0,0 +1,7 @@ +>*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured* + +By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List. + +>[!NOTE] +>If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md new file mode 100644 index 0000000000..e9e73eb750 --- /dev/null +++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Turned off/not syncing)* + +[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Turned off/not syncing. | | +|Enabled |1 |1 |Turned on/syncing. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +### ADMX info +- **GP English name:** Keep favorites in sync between Internet Explorer and Microsoft Edge +- **GP name:** SyncFavoritesBetweenIEAndMicrosoftEdge +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** SyncFavoritesBetweenIEAndMicrosoftEdge +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md new file mode 100644 index 0000000000..c0590648fa --- /dev/null +++ b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md @@ -0,0 +1 @@ +[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. \ No newline at end of file diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md new file mode 100644 index 0000000000..a2f7492948 --- /dev/null +++ b/browsers/edge/includes/prevent-access-about-flag-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed. | | +|Enabled |1 |1 |Prevents users from access the about:flags page. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent access to the about:flags page in Microsoft Edge +- **GP name:** PreventAccessToAboutFlagsInMicrosoftEdge +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventAccessToAboutFlagsInMicrosoftEdge +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md new file mode 100644 index 0000000000..e547317eb3 --- /dev/null +++ b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | | +|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for files +- **GP name:** PreventSmartScreenPromptOverrideForFiles +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** PreventOverrideAppRepUnknown +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md new file mode 100644 index 0000000000..e57bb9f213 --- /dev/null +++ b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned off. Users can ignore the warning and continue to the site.| | +|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for sites +- **GP name:** PreventSmartscreenPromptOverride +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventSmartscreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter +- **Value name:** PreventOverride +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md new file mode 100644 index 0000000000..052ef6499e --- /dev/null +++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md @@ -0,0 +1,32 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Allowed/turned off)* + +[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. Override the security warning to sites that have SSL errors. | | +|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent certificate error overrides +- **GP name:** PreventCertErrorOverrides +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Setting +- **Value name:** PreventCertErrorOverrides +- **Value type:** REG_DWORD + +
diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md new file mode 100644 index 0000000000..4bbb97f4b0 --- /dev/null +++ b/browsers/edge/includes/prevent-changes-to-favorites-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured (Allowed/not locked down)* + +[!INCLUDE [prevent-changes-to-favorites-shortdesc](../shortdesc/prevent-changes-to-favorites-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed/not locked down. Users can add, import, and make changes to the Favorites list. | | +|Enabled |1 |1 |Prevented/locked down. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent changes to Favorites on Microsoft Edge +- **GP name:** LockdownFavorites +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** LockdownFavorites +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md new file mode 100644 index 0000000000..61192efbcf --- /dev/null +++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed. Microsoft Edge loads the welcome page. | | +|Enabled |1 |1 |Prevented. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent the First Run webpage from opening on Microsoft Edge +- **GP name:** PreventFirstRunPage +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage +- **Data type:** Integer + +####Registry +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventFirstRunPage +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md new file mode 100644 index 0000000000..844e72d227 --- /dev/null +++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Collect and send)* + +[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Collect and send Live Tile metadata. | | +|Enabled |1 |1 |Do not collect. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +- **GP name:** PreventLiveTileDataCollection +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** PreventLiveTileDataCollection +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md new file mode 100644 index 0000000000..4b5e20e3cb --- /dev/null +++ b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md @@ -0,0 +1,33 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)* + +[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |Allowed. Show localhost IP addresses. | | +|Enabled |1 |1 |Prevented. |![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent using Localhost IP address for WebRTC +- **GP name:** HideLocalHostIPAddress +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** HideLocalHostIPAddress +- **Value type:** REG_DWORD + +
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md new file mode 100644 index 0000000000..dad8213fef --- /dev/null +++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md @@ -0,0 +1,46 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Allowed)* + +[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] + +### Supported values + +|Group Policy |Description | +|---|---| +|Disabled or not configured
**(default)** |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | +|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:

_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent turning off required extensions +- **GP name:** PreventTurningOffRequiredExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[PreventTurningOffRequiredExtensions](../new-policies.md#prevent-turning-off-required-extensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions +- **Data type:** String + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Value name:** PreventTurningOffRequiredExtensions +- **Value type:** REG_SZ + +### Related policies +[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] + + +### Related topics + +- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. +- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/en-us/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. +- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-deploy): Apps can be assigned to devices whether or not they are managed by Intune. +- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. +- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. These types of apps are typically written in-house. + +

\ No newline at end of file diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md new file mode 100644 index 0000000000..9ee99665b0 --- /dev/null +++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md @@ -0,0 +1,40 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Enabled or not configured (Prevented/turned off)* + +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + +### Supported values +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled |0 |0 |Allowed/turned on. Users can sync the browser settings. | +|Enabled or not configured
**(default)** |1 |1 |Prevented/turned off. | +--- + +### Configuration options + +For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md). + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent users from turning on browser syncing +- **GP name:** PreventUsersFromTurningOnBrowserSyncing +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing +- **Data type:** String + + +### Related policies +[Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]. + +### Related topics +[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) + + +
\ No newline at end of file diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md new file mode 100644 index 0000000000..7601beff81 --- /dev/null +++ b/browsers/edge/includes/provision-favorites-include.md @@ -0,0 +1,40 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Customizable)* + +[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] + +>[!IMPORTANT] +>Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. + +### Supported values + +|Group Policy |Description |Most restricted | +|---|---|:---:| +|Disabled or not configured
**(default)** |Default list of favorites not defined in Microsoft Edge. In this case, the Favorites list is customizable, such as adding folders, or adding and removing favorites. | | +|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file**, and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=http://localhost:8080/URLs.html
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:\Users\\Documents\URLs.html
|![Most restricted value](../images/check-gn.png) | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Provision Favorites +- **GP name:** ConfiguredFavorites +- **GP element:** ConfiguredFavoritesPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +- **Data type:** String + +#### Registry settings +- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Favorites +- **Value name:** ConfiguredFavorites +- **Value type:** REG_SZ + +### Related policies +[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] + +
\ No newline at end of file diff --git a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md new file mode 100644 index 0000000000..e550bc4e57 --- /dev/null +++ b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md @@ -0,0 +1 @@ +[Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md new file mode 100644 index 0000000000..1155d908d3 --- /dev/null +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -0,0 +1,51 @@ + +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured* + +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + +>[!TIP] +>Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. Allowed values. + + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |All sites, including intranet sites, open in Microsoft Edge automatically. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enabled**, refresh the policy, and then view the affected sites in Microsoft Edge.

    A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | +--- + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Send all intranet sites to Internet Explorer 11 +- **GP name:** SendIntranetTraffictoInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Value name:** SendIntranetTraffictoInternetExplorer +- **Value type:** REG_DWORD + +### Related Policies +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + +### Related topics +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. + +- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +
\ No newline at end of file diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md new file mode 100644 index 0000000000..9f4d68c89f --- /dev/null +++ b/browsers/edge/includes/set-default-search-engine-include.md @@ -0,0 +1,52 @@ + +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Not configured (Defined in App settings)* + +[!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Not configured
**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](#allow-search-engine-customization-include) policy, users cannot make changes. | | +|Disabled |0 |0 |Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. | | +|Enabled |1 |1 |Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.

If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) | +--- + + +### Configuration options + +For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set default search engine +- **GP name:** SetDefaultSearchEngine +- **GP element:** SetDefaultSearchEngine_Prompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine +- **Data type:** Integer + +#### Registry settings +- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Value name:** SetDefaultSearchEngine +- **Value type:** REG_SZ + +### Related policies + +- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] + +- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)] + +### Related topics + +- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. + +- [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. + +

\ No newline at end of file diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md new file mode 100644 index 0000000000..0b2c1e8495 --- /dev/null +++ b/browsers/edge/includes/set-home-button-url-include.md @@ -0,0 +1,46 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Blank)* + +[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |Blank |Blank |Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. | +|Enabled - String |String |String |Load a custom URL for the home button. You must also enable the [Configure Home button](../new-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option.

Enter a URL in string format, for example, https://www.msn.com. | +--- + + +### Configuration options + +For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md). + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set Home button URL +- **GP name:** SetHomeButtonURL +- **GP element:** SetHomeButtonURLPrompt +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) +- **Supported devices:** Desktop and Mobile +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** ConfigureHomeButtonURL +- **Value type:** REG_SZ + +### Related policies + +- [Configure Home button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + +- [Unlock Home button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +

diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md new file mode 100644 index 0000000000..ffd31bd264 --- /dev/null +++ b/browsers/edge/includes/set-new-tab-url-include.md @@ -0,0 +1,40 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Blank)* + +[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |Blank |Blank |Load the default New tab page. | +|Enabled - String |String |String |Prevent users from changing the New tab page.

Enter a URL in string format, for example, https://www.msn.com. | +--- + +### ADMX info and settings +#### ADMX info +- **GP English name:** Set New Tab page URL +- **GP name:** SetNewTabPageURL +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** NewTabPageUR +- **Value type:** REG_SZ + + +### Related policies + +[Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + + +

\ No newline at end of file diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md new file mode 100644 index 0000000000..23153686e2 --- /dev/null +++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md @@ -0,0 +1,46 @@ + + +>*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
+>*Default setting: Disabled or not configured (No additional message)* + + +[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description |Most restricted | +|---|:---:|:---:|---|:---:| +|Disabled or not configured
**(default)** |0 |0 |No additional message displays. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Show an additional message stating that a site has opened in IE11. | | +|Enabled |2 |2 |Show an additional message with a "Keep going in Microsoft Edge" link to allow users to open the site in Microsoft Edge. | | +--- + +### Configuration options +For more details about configuring the search engine, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Show message when opening sites in Internet Explorer +- **GP name:** ShowMessageWhenOpeningSitesInInternetExplorer +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Value name:** ShowMessageWhenOpeningSitesInInternetExplorer +- **Value type:** REG_DWORD + +### Related policies + +- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + +- [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11): [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + + +
\ No newline at end of file diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md new file mode 100644 index 0000000000..339dbef1f0 --- /dev/null +++ b/browsers/edge/includes/unlock-home-button-include.md @@ -0,0 +1,45 @@ + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Default setting: Disabled or not configured (Home button is locked)* + +[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] + +### Supported values + +|Group Policy |MDM |Registry |Description | +|---|:---:|:---:|---| +|Disabled or not configured
**(default)** |0 |0 |Lock down the home button to prevent users from making changes to the home button settings. | +|Enabled |1 |1 |Let users make changes. | +--- + + +### Configuration options + +For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md). + +### ADMX info and settings +#### ADMX info +- **GP English name:** Unlock Home Button +- **GP name:** UnlockHomeButton +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** Browser/[UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton +- **Data type:** Integer + +#### Registry settings +- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Value name:** UnlockHomeButton +- **Value type:** REG_DWORD + +### Related policies + +- [Configure Home button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + +- [Set Home button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] + + +
\ No newline at end of file diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml new file mode 100644 index 0000000000..388263e0b5 --- /dev/null +++ b/browsers/edge/index.yml @@ -0,0 +1,163 @@ +### YamlMime:YamlDocument + +documentType: LandingData + +title: Microsoft Edge Group Policy configuration options + +metadata: + + document_id: + + title: Microsoft Edge Group Policy configuration options + + description: + + text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + + keywords: Microsoft Edge, Windows 10 + + ms.localizationpriority: high + + author: shortpatti + + ms.author: pashort + + ms.date: 08/09/2018 + + ms.topic: article + + ms.devlang: na + +sections: + +- title: + +- items: + + - type: markdown + + text: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. + +- items: + + - type: list + + style: cards + + className: cardsE + + columns: 3 + + items: + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/about-microsoft-edge + + html:

Learn about Microsoft Edge, including system requirements and language support

+ + image: + + src: https://docs.microsoft.com/media/common/i_overview.svg + + title: Microsoft Edge overview + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/new-policies + + html:

Learn more about the latest group policies and features added to Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_whats-new.svg + + title: What's new + + - href: https://www.microsoft.com/en-us/WindowsForBusiness/Compare + + html:

Learn about the supported features & functionality in each Windows edition.

+ + image: + + src: https://docs.microsoft.com/media/common/i_config-tools.svg + + title: Compare Windows 10 Editions + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp + + html:

Learn how Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows.

+ + image: + + src: https://docs.microsoft.com/media/common/i_security-management.svg + + title: Security & protection + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + + html:

Learch how you can use the Enterprise Mode site list for websites and apps that have compatibility problems in Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Interoperability & enterprise guidance + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/index + + html:

Learn about the advanced VPN features you can add to improve the security and availability of your VPN connection.

+ + image: + + src: https://docs.microsoft.com/media/common/i_policy.svg + + title: Group policies & configuration options + +- items: + + - type: list + + style: cards + + className: cardsL + + items: + + - title: Microsoft Edge resources + + html:

Minimum system requirements

+ +

Supported languages

+ +

Document change history

+ +

Compare Windows 10 Editions

+ +

Microsoft Edge Dev blog

+ +

Microsoft Edge Dev on Twitter

+ +

Microsoft Edge changelog

+ +

Measuring the impact of Microsoft Edge

+ + - title: Internet Explorer 11 resources + + html:

Deploy Internet Explorer 11 (IE11) - IT Pros

+ +

Internet Explorer Administration Kit 11 (IEAK 11)

+ +

Download Internet Explorer 11

+ + - title: Additional resources + + html:

Group Policy and the Group Policy Management Console (GPMC)

+ +

Group Policy and the Local Group Policy Editor

+ +

Group Policy and the Advanced Group Policy Management (AGPM)

+ +

Group Policy and Windows PowerShell

+ + + + + + diff --git a/browsers/edge/microsoft-browser-extension-policy-include.md b/browsers/edge/microsoft-browser-extension-policy-include.md new file mode 100644 index 0000000000..03aabcbbff --- /dev/null +++ b/browsers/edge/microsoft-browser-extension-policy-include.md @@ -0,0 +1 @@ +[Microsoft browser extention policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy) \ No newline at end of file diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md index 05335d7416..59299f93a9 100644 --- a/browsers/edge/microsoft-edge-faq.md +++ b/browsers/edge/microsoft-edge-faq.md @@ -1,12 +1,12 @@ --- title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros (Microsoft Edge for IT Pros) description: Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems. -author: eross-msft -ms.author: lizross +author: shortpatti +ms.author: pashort ms.prod: edge ms.mktglfcycl: general ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 09/19/2017 --- diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md new file mode 100644 index 0000000000..1662f74b73 --- /dev/null +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -0,0 +1,324 @@ +--- +description: Microsoft Edge kiosk mode works with assigned access to allow IT, administrators, to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. +ms.assetid: +author: shortpatti +ms.author: pashort +ms.prod: edge +ms.sitesec: library +title: Deploy Microsoft Edge kiosk mode +ms.localizationpriority: medium +ms.date: 07/25/2018 +--- + +# Deploy Microsoft Edge kiosk mode (Preview) + +>Applies to: Microsoft Edge on Windows 10
+>Preview build 17723 + +Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). + +When you configure Microsoft Edge kiosk mode in assigned access, you can set it up to show only a single URL in full-screen, in the case of digital/interactive signage on a single-app kiosk device. You can restrict Microsoft Edge for public browsing (on a single and multi-app kiosk device) which runs a multi-tab version of InPrivate with limited functionality. Also, you can configure a multi-app kiosk device to run a full or normal version of Microsoft Edge. + +Digital/Interactive signage and public browsing protects the user’s data by running Microsoft Edge InPrivate. In single-app public browsing, there is both an idle timer and an 'End Session' button. The idle timer resets the browsing session after a specified time of user inactivity. + +In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to setup your Microsoft Edge kiosk mode experience. + + + +## Microsoft Edge kiosk types +Microsoft Edge kiosk mode supports **four** types, depending on how Microsoft Edge is set up in assigned access; single-app or multi-app kiosk. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access). + +### Single-app kiosk + +When you set up Microsoft Edge kiosk mode in single-app assigned access, Microsoft Edge runs InPrivate either in full-screen or a limited multi-tab version for public browsing. For more details about setting up a single-app kiosk, see [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage). + +The single-app Microsoft Edge kiosk mode types include: + +1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage include an interactive museum display or a restaurant order/pay station. + +2. **Public browsing** devices run a limited multi-tab version of InPrivate and Microsoft Edge is the only app available. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge. Users can clear browsing data, downloads and restart Microsoft Edge by clicking the “End session” button. You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. A public library or hotel concierge desk are two examples of public browsing in single-app kiosk device. + + ![Public browsing Microsoft Edge kiosk mode on a single-app kiosk device](images/SingleApp_contosoHotel_inFrame.png) + +### Multi-app kiosk +When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsoft Edge runs a limited multi-tab version of InPrivate or a normal browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. + +The multi-app Microsoft Edge kiosk mode types include: + +3. **Public browsing** supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other app(s). + + ![Public browsing Microsoft Edge kiosk mode on a multi-app kiosk device](images/Multi-app_kiosk_inFrame.png) + +4. **Normal mode** mode runs a full version of Microsoft Edge, but some features may not work depending on what other apps you configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. + + ![Normal Microsoft Edge kiosk mode on a multi-app kiosk device](images/Normal_inFrame.png) + +## Let’s get started! +Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. You can set up Microsoft Edge kiosk mode in assigned access using: + +- **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout. + +- **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access. + + >[!NOTE] + >For other MDM service, check with your provider for instructions. + +- **Windows PowerShell.** Best for setting up multiple devices as a kiosk. With this method, you can set up single-app or multi-app assigned access using a PowerShell script. For details, see For details, see [Set up a kiosk or digital sign using Windows PowerShell](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-using-windows-powershell).  + +- **Windows Configuration Designer.** Best for setting up multiple kiosk devices. Download and install both the latest version of the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and [Windows Configuration Manager](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd#install-windows-configuration-designer-1). + +### Prerequisites + +- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). + +- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method. + +>[!Important] +>If you are using a local account as a kiosk account in Intune or provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. + + +### Use Windows Settings + +Windows Settings is the simplest and easiest way to set up one or a couple of devices because you must perform these steps on each device. This method is ideal for small businesses. + +1. In Windows Settings, select **Accounts** \> **Other people**. + +2. Under **Set up a kiosk**, select **Assigned access**. + +3. Select **Get started**. + +4. Create a standard user account or choose an existing account for your kiosk. + +5. Select **Next**. + +6. On the **Choose a kiosk app** page, select **Microsoft Edge.** + +7. Select **Next**. + +8. Select how Microsoft Edge displays when running in kiosk mode: + + - **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls. + + - **As a public browser**, the default URL shows in a browser view with limited browser controls. + +9. Select **Next**. + +10. Enter the URL that you want to load when the kiosk launches. + + >[!NOTE] + >The URL sets the Home button, Start page, and New tab page. + +11. Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes**, or you can choose your own idle timer value. + +12. Select **Next**, and then select **Close**. + +13. Close **Settings** to save your choices automatically and apply them the next time the user account logs on. + +14. Configure the policies for Microsoft Edge kiosk mode. For details on the valid kiosk policy settings, see [Relevant policies](#relevant-policies). + +15. Validate the Microsoft Edge kiosk mode by restarting the device and signing in with the local kiosk account. + +**_Congratulations!_** You’ve finished setting up Microsoft Edge in assigned access and a kiosk or digital sign, and configured browser policies for Microsoft Edge kiosk mode. + +**_Next steps._** +- Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. +- If you want to make changes to your kiosk, you can quickly change the display option and default URL for Microsoft Edge. + + 1. Go to **Start** \> **Settings** \> **Accounts** \> **Other people**. + + 2. Under **Set up a kiosk**, select **Assigned access**. + + 3. Make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**. + + +### Use Microsoft Intune or other MDM service + +With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. + +1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. + +2. Configure the following MDM settings to control a web browser app on the kiosk device and then restart the device. + + | | | + |---|---| + | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| + | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| + | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | + | **[ConfigureHomeButton](new-policies.md#configure-home-button)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| + | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | + | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + --- +
+ +**_Congratulations!_** You’ve finished setting up a kiosk or digital signage and configuring policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. + +**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. + +### Use a provisioning package + +With this method, you can use a provisioning package to configure Microsoft Edge kiosk mode in assigned access. After you set up the provisioning package for configuring Microsoft Edge in assigned access, you configure how Microsoft Edge behaves on a kiosk device. + +1. Open Windows Configuration Designer to create a provisioning package and configure Microsoft Edge in assigned access. + +2. After creating the provisioning package and configuring assigned access, and before you build the package, switch to the advanced editor. + +3. Navigate to **Runtime settings \> Policies \> Browser** and set the following policies: + + | | | + |---|---| + | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| + | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| + | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | + | **[ConfigureHomeButton](new-policies.md#configure-home-button)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| + | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | + | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + --- +
+4. After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to build the package. + +5. Click **Finish**. The wizard closes taking you back to the Customizations page. + +6. Apply the provisioning package to the device, which you can do during the first-run experience (out-of-box experience or OOBE) and after (runtime). For more details, see [Apply a provisioning package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package). + +**_Congratulations!_** You’ve finished creating your provisioning package for Microsoft Edge kiosk mode. + +**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. + +--- + +## Relevant policies + +Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser). + +| **MDM Setting** | **Digital /
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** | +|------------------|:---------:|:---------:|:---------:|:---------:| +| [AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowBrowser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFullscreen](new-policies.md#allow-fullscreen-mode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowPrelaunch](new-policies.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPrinting](new-policies.md#allow-printing)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSavingHistory](new-policies.md#allow-saving-history)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSideloadingOfExtensions](new-policies.md#allow-sideloading-of-extensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowTabPreloading](new-policies.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowWebContentOnNewTabPage](available-policies.md#allow-web-content-on-new-tab-page)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureFavoritesBar](new-policies.md#configure-favorites-bar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureHomeButton](new-policies.md#configure-home-button)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskMode](new-policies.md#configure-kiosk-mode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [ConfigureOpenMicrosoftEdgeWith](new-policies.md#configure-open-microsoft-edge-with)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureTelemetryForMicrosoft365Analytics](new-policies.md#configure-collection-of-browsing-data-for-microsoft-365-analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [Experience/DoNotSyncBrowserSetting](available-policies.md#do-not-sync-browser-settings)\* and [Experience/PreventUsersFromTurningOnBrowserSyncing](new-policies.md#prevent-users-from-turning-on-browser-syncing)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [FirstRunURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventCertErrorOverrides](new-policies.md#prevent-certificate-error-overrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventTurningOffRequiredExtensions](new-policies.md#prevent-turning-off-required-extensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetHomeButtonURL](new-policies.md#set-home-button-url)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetNewTabPageURL](new-policies.md#set-new-tab-page-url)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [UnlockHomeButton](new-policies.md#unlock-home-button)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +--- + +*\* New policy coming in the next release of Windows 10.*

+*1) For multi-app assigned access, you must configure Internet Explorer 11.*
+*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun].(https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* + +**Legend:**

+       ![Not supported](images/148766.png) = Not applicable or not supported
+       ![Supported](images/148767.png) = Supported + +--- + +## Related topics + +- **[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage)**: Learn about the different methods to configuring your kiosks and digitals signs. Also, learn about the settings you can use to lock down the kiosk for a more secure kiosk experience. + +- **[Create a Kiosk Experience](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/create-a-kiosk-image):** Learn how to set up single-function kiosk devices, such as restaurant menus, and optional features for a welcome screen or power button availability. Also, learn how to create a multi-app kiosk, or fixed-purpose device, to provide an easy-to-understand experience giving users the things they need to use. + +- **[Configure a Windows 10 kiosk that runs multiple apps](https://aka.ms/Ckmq4n):** Learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. + +- **[Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4):** In Windows 10, you can use assigned access to create a kiosk device, which enables users to interact with just a single Universal Windows app. Learn about the best practices for implementing a kiosk app. + +- **[Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3):** Assigned access restricts a local standard user account on the device so that it only has access to a single-function device, like a kiosk. Learn about the guidelines for choosing a Windows app, web browsers, and securing your information. Also, learn about additional configurations required for some apps before it can work properly in assigned access. + +- **[Other settings to lock down](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down):** Learn how to configure a more secure kiosk experience. In addition to the settings, learn how to set up **automatic logon** for your kiosk device. For example, when the kiosk device restarts, you can log back into the device manually or by setting up automatic logon. + +- **[Add apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add):** Learn about and understand a few app fundamentals and requirements before adding them to Intune and making them available to your users. + +- **[AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp):** The AssignedAccess configuration service provider (CSP) sets the device to run in kiosk mode. Once the CSP has executed, then the next user login associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. + +- **[Create a provisioning page for Windows 10](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package):** Learn to use Windows Configuration Designer (WCD) to create a provisioning package (.ppkg) for configuring devices running Windows 10. The WCD wizard options provide a simple interface to configure desktop, mobile, and kiosk device settings. + +--- + +## Known issues with prerelease build 17723 + +When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored. +- **Expected behavior** – Microsoft Edge kiosk mode launches in full-screen mode. +- **Actual behavior** – Normal Microsoft Edge launches. + +--- + +## Provide feedback or get support + +To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. + +**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. + +--- + +## Feature comparison of kiosk mode and kiosk browser app +In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. + +| **Feature** | **Microsoft Edge kiosk mode** | **Kiosk Browser** | +|---------------|:----------------:|:---------------:| +| Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Allow URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | +| Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | +| Configure Home button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | +| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Intune, must create custom URI to enable. Dedicated UI configuration targeted for 1808.* | +| Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | +--- + +**\*Windows Defender Firewall**

+To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). + +--- \ No newline at end of file diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md new file mode 100644 index 0000000000..48df9f6016 --- /dev/null +++ b/browsers/edge/new-policies.md @@ -0,0 +1,116 @@ +--- +description: Microsoft Edge now has new Group Policies and MDM Settings for IT administrators to configure Microsoft Edge. The new policies allow you to enable/disabled full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions. +ms.assetid: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +title: New Microsoft Edge Group Policies and MDM settings +ms.localizationpriority: medium +author: shortpatti +ms.author: pashort +ms.date: 07/25/2018 +--- + +# New Microsoft Edge Group Policies and MDM settings (Preview) + +> Applies to: Microsoft Edge on Windows 10
+> Preview build 17713+ + +The Microsoft Edge team introduces new Group Policies and MDM Settings for the Windows 10 Insider Preview Build 17713+. The new policies allow IT administrators to enable/disable full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions. + +We are discontinuing the **Configure Favorites** group policy. Use the **[Provision Favorites](available-policies.md#provision-favorites)** instead. + + + +>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: +>> +>>      **_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_** +

+ + + +| **Group Policy** | **New/update?** | **MDM Setting** | **New/update?** | +| --- | --- | --- | --- | +| [Allow fullscreen mode](#allow-fullscreen-mode) | New | [AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) | New | +| [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-prelaunch) | New | [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | New | +| [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | New | [AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | New | +| [Allow printing](#allow-printing) | New | [AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | New | +| [Allow Saving History](#allow-saving-history) | New | [AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | New | +| [Allow sideloading of Extensions](#allow-sideloading-of-extensions) | New | [AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | New | +| [Allow web content on new tab page](available-policies.md#allow-web-content-on-new-tab-page) | -- | [AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | New | +| [Configure collection of browsing data for Microsoft 365 Analytics](#configure-collection-of-browsing-data-for-microsoft-365-analytics) | New | [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | New | +| [Configure Favorites Bar](#configure-favorites-bar) | New | [ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | New | +| [Configure Home button](#configure-home-button) | New | [ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | New | +| [Configure kiosk mode](#configure-kiosk-mode) | New | [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | New | +| [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | New | +| [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | New | +| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) | New | +| [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | New | +| [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | Experience/PreventUsersFromTurningOnBrowserSyncing | New | +| [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) | New | +| [Set Home button URL](#set-home-button-url) | New | [SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | New | +| [Set New Tab page URL](#set-new-tab-page-url) | New | [SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | New | +| [Show message when opening sites in Internet Explorer](#showmessagewhenopeninginteretexplorersites) | Updated | [ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | Updated | +| [Unlock Home button](#unlock-home-button) | New | [UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | New | +--- + + + + +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] + +## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] + +## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed +[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] + +## Allow sideloading of Extensions +[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] + +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] + +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] + +## Configure Home button +[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] + +## Configure kiosk mode +[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] + +## Configure kiosk reset after idle timeout +[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] + +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] + +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] + +## Set Home button URL +[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] + +## Show message when opening sites in Internet Explorer +[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] + +## Unlock Home button +[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] + diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md index 40952d55dc..8f16464105 100644 --- a/browsers/edge/security-enhancements-microsoft-edge.md +++ b/browsers/edge/security-enhancements-microsoft-edge.md @@ -5,15 +5,17 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/16/2017 +ms.author: pashort +author: shortpatti --- # Security enhancements for Microsoft Edge >Applies to: Windows 10, Windows 10 Mobile -Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. +Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. ## Help to protect against web-based security threats While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking: diff --git a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md new file mode 100644 index 0000000000..ab30ba7a07 --- /dev/null +++ b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md @@ -0,0 +1 @@ +You can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads book files automatically to a common, shared folder, and prevents users from removing the book from the library. When disabled, Microsoft Edge does not use a shared folder but downloads book files to a folder for each user. For this policy to work properly, users must be signed in with a school or work account. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md new file mode 100644 index 0000000000..4a49c8dc67 --- /dev/null +++ b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md new file mode 100644 index 0000000000..6c0c3cf0be --- /dev/null +++ b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md @@ -0,0 +1 @@ +Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md new file mode 100644 index 0000000000..31127ca2d7 --- /dev/null +++ b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md new file mode 100644 index 0000000000..e5fd1dde74 --- /dev/null +++ b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-cortana-shortdesc.md b/browsers/edge/shortdesc/allow-cortana-shortdesc.md new file mode 100644 index 0000000000..2857a93d27 --- /dev/null +++ b/browsers/edge/shortdesc/allow-cortana-shortdesc.md @@ -0,0 +1 @@ +Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md new file mode 100644 index 0000000000..b9bab04325 --- /dev/null +++ b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md new file mode 100644 index 0000000000..1c11de47c0 --- /dev/null +++ b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md @@ -0,0 +1 @@ +By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-extensions-shortdesc.md new file mode 100644 index 0000000000..2d1f8ec802 --- /dev/null +++ b/browsers/edge/shortdesc/allow-extensions-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md new file mode 100644 index 0000000000..0ce0f11a60 --- /dev/null +++ b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows full-screen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing full-screen mode, users and extensions must have the proper permissions. Disabling this policy prevents full-screen mode in Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md new file mode 100644 index 0000000000..75def749bb --- /dev/null +++ b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md new file mode 100644 index 0000000000..a56056d3e9 --- /dev/null +++ b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md @@ -0,0 +1 @@ +During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md new file mode 100644 index 0000000000..58ab1f00bd --- /dev/null +++ b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-printing-shortdesc.md b/browsers/edge/shortdesc/allow-printing-shortdesc.md new file mode 100644 index 0000000000..07e8e98f42 --- /dev/null +++ b/browsers/edge/shortdesc/allow-printing-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows users to print web content by default. With this policy though, you can configure Microsoft Edge to prevent users from printing web content. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md new file mode 100644 index 0000000000..bec7172c23 --- /dev/null +++ b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md new file mode 100644 index 0000000000..2b4e25a7c3 --- /dev/null +++ b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md @@ -0,0 +1 @@ +By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md new file mode 100644 index 0000000000..bb723ab0c6 --- /dev/null +++ b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md new file mode 100644 index 0000000000..3b245ca258 --- /dev/null +++ b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows preloading of the Start and New tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md new file mode 100644 index 0000000000..911267bdb1 --- /dev/null +++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge loads the default New tab page by default. Disabling this policy loads a blank page instead of the New tab page and prevents users from changing it. Not configuring this policy lets users choose how the New tab page appears. \ No newline at end of file diff --git a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md new file mode 100644 index 0000000000..9a382427fa --- /dev/null +++ b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md new file mode 100644 index 0000000000..c68642520a --- /dev/null +++ b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md @@ -0,0 +1 @@ +By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. With this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md new file mode 100644 index 0000000000..c58d446834 --- /dev/null +++ b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md b/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/browsers/edge/shortdesc/configure-autofill-shortdesc.md b/browsers/edge/shortdesc/configure-autofill-shortdesc.md new file mode 100644 index 0000000000..247308fee8 --- /dev/null +++ b/browsers/edge/shortdesc/configure-autofill-shortdesc.md @@ -0,0 +1 @@ +By default, users can choose to use the Autofill feature to automatically populate the form fields. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md new file mode 100644 index 0000000000..6a9cce12e0 --- /dev/null +++ b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/browsers/edge/shortdesc/configure-cookies-shortdesc.md new file mode 100644 index 0000000000..a35c4d0f31 --- /dev/null +++ b/browsers/edge/shortdesc/configure-cookies-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md new file mode 100644 index 0000000000..d3026c51e7 --- /dev/null +++ b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md new file mode 100644 index 0000000000..80383e4f0a --- /dev/null +++ b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md new file mode 100644 index 0000000000..4536456e59 --- /dev/null +++ b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. With this policy, you can configure Microsoft Edge to either show or hide the favorites bar on all pages. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-shortdesc.md new file mode 100644 index 0000000000..d61df8e460 --- /dev/null +++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md @@ -0,0 +1 @@ +Use the **[Provision Favorites](../available-policies.md#provision-favorites)** in place of Configure Favorites. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-home-button-shortdesc.md b/browsers/edge/shortdesc/configure-home-button-shortdesc.md new file mode 100644 index 0000000000..c1e1a48bab --- /dev/null +++ b/browsers/edge/shortdesc/configure-home-button-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the Home button to load the New tab page or a URL defined in the Set Home button URL policy. You can also configure Microsoft Edge to hide the home button. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-inprivate-shortdesc.md b/browsers/edge/shortdesc/configure-inprivate-shortdesc.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md new file mode 100644 index 0000000000..a0e1cbf398 --- /dev/null +++ b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md @@ -0,0 +1 @@ +Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md new file mode 100644 index 0000000000..4772d2d2dd --- /dev/null +++ b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md @@ -0,0 +1 @@ +You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md new file mode 100644 index 0000000000..7383d68455 --- /dev/null +++ b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md new file mode 100644 index 0000000000..63a62cfff5 --- /dev/null +++ b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md new file mode 100644 index 0000000000..e89395a2ab --- /dev/null +++ b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge turns off Pop-up Blocker allowing pop-up windows to appear. Enabling this policy turns on Pop-up Blocker stopping pop-up windows from appearing. Don’t configure this policy to let users choose to use Pop-up Blocker. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md new file mode 100644 index 0000000000..e95e652f45 --- /dev/null +++ b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md @@ -0,0 +1 @@ +By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md new file mode 100644 index 0000000000..f027fdb17e --- /dev/null +++ b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md new file mode 100644 index 0000000000..752f554dca --- /dev/null +++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. \ No newline at end of file diff --git a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md new file mode 100644 index 0000000000..9286227f0e --- /dev/null +++ b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md @@ -0,0 +1 @@ +By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md new file mode 100644 index 0000000000..5e485a0200 --- /dev/null +++ b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md @@ -0,0 +1 @@ +By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. \ No newline at end of file diff --git a/browsers/edge/shortdesc/do-not-sync-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-shortdesc.md new file mode 100644 index 0000000000..1e9ac07094 --- /dev/null +++ b/browsers/edge/shortdesc/do-not-sync-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge turns on the Sync your Settings toggle in Settings and let users choose what to sync on their device. Enabling this policy turns off and disables the Sync your Settings toggle in Settings, preventing syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. \ No newline at end of file diff --git a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md new file mode 100644 index 0000000000..71de365bde --- /dev/null +++ b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. \ No newline at end of file diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md new file mode 100644 index 0000000000..132291b931 --- /dev/null +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -0,0 +1 @@ +This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md new file mode 100644 index 0000000000..b13677be33 --- /dev/null +++ b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md @@ -0,0 +1 @@ +By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md new file mode 100644 index 0000000000..135bd4f574 --- /dev/null +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of unverified file(s). \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md new file mode 100644 index 0000000000..56a2ecdd15 --- /dev/null +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md new file mode 100644 index 0000000000..0d4351e0cb --- /dev/null +++ b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md @@ -0,0 +1 @@ +Web security certificates are used to ensure a site that users go to is legitimate, and in some circumstances, encrypts the data. By default, Microsoft Edge allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md new file mode 100644 index 0000000000..195318866f --- /dev/null +++ b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md @@ -0,0 +1 @@ +By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md new file mode 100644 index 0000000000..4be519322f --- /dev/null +++ b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a more complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users a limited experience. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md new file mode 100644 index 0000000000..f587cc839c --- /dev/null +++ b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md @@ -0,0 +1 @@ +By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via a FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md new file mode 100644 index 0000000000..e428d938ed --- /dev/null +++ b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md new file mode 100644 index 0000000000..1211a69dfa --- /dev/null +++ b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md @@ -0,0 +1 @@ +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md new file mode 100644 index 0000000000..defb76bdf5 --- /dev/null +++ b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. \ No newline at end of file diff --git a/browsers/edge/shortdesc/provision-favorites-shortdesc.md b/browsers/edge/shortdesc/provision-favorites-shortdesc.md new file mode 100644 index 0000000000..7f02b200c8 --- /dev/null +++ b/browsers/edge/shortdesc/provision-favorites-shortdesc.md @@ -0,0 +1 @@ +By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. \ No newline at end of file diff --git a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md new file mode 100644 index 0000000000..c5684bc753 --- /dev/null +++ b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file diff --git a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md new file mode 100644 index 0000000000..296965ba86 --- /dev/null +++ b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md @@ -0,0 +1 @@ +By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md new file mode 100644 index 0000000000..839e07428b --- /dev/null +++ b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge uses the default search engine specified in App settings. In this case, users can make changes to the default search engine at any time unless the Allow search engine customization policy is disabled, which restricts users from making any changes. Disabling this policy removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. Enabling this policy uses the policy-set search engine specified in the OpenSearch XML file, prevent users from changing the default search engine. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md new file mode 100644 index 0000000000..10ad478e1b --- /dev/null +++ b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md @@ -0,0 +1 @@ +By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md new file mode 100644 index 0000000000..35ae30c337 --- /dev/null +++ b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge loads the default New tab page by default. Enabling this policy lets you set a New tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. \ No newline at end of file diff --git a/browsers/edge/shortdesc/shortdesc-test.md b/browsers/edge/shortdesc/shortdesc-test.md new file mode 100644 index 0000000000..2c796253ef --- /dev/null +++ b/browsers/edge/shortdesc/shortdesc-test.md @@ -0,0 +1 @@ +UI settings for the home button are disabled preventing your users from making changes \ No newline at end of file diff --git a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md new file mode 100644 index 0000000000..7601ad77fc --- /dev/null +++ b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md @@ -0,0 +1 @@ +Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the “Keep going in Microsoft Edge” link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. \ No newline at end of file diff --git a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md new file mode 100644 index 0000000000..62c666c475 --- /dev/null +++ b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md @@ -0,0 +1 @@ +By default, when you enable the Configure Home button policy or provide a URL in the Set Home button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home button or Set Home button URL policies. \ No newline at end of file diff --git a/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md b/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md new file mode 100644 index 0000000000..72e501af4b --- /dev/null +++ b/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md @@ -0,0 +1,65 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to add employees to the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Add employees to the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups. + +The available roles are: + +- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests. + +- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page. + +**To add an employee to the Enterprise Mode Site List Portal** +1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page. + + The **Employee management** page appears. + +2. Click **Add a new employee**. + + The **Add a new employee** page appears. + +3. Fill out the fields for each employee, including: + + - **Email.** Add the employee's email address. + + - **Name.** This box autofills based on the email address. + + - **Role.** Pick a single role for the employee, based on the list above. + + - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers. + + - **Comments.** Add optional comments about the employee. + + - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + +**To export all employees to an Excel spreadsheet** +1. On the **Employee management** page, click **Export to Excel**. + +2. Save the EnterpriseModeUsersList.xlsx file. + + The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name. \ No newline at end of file diff --git a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md new file mode 100644 index 0000000000..595d31fa6f --- /dev/null +++ b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md @@ -0,0 +1,109 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager. +author: eross-msft +ms.prod: ie11 +ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c +title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) + +**Applies to:** + +- Windows 8.1 +- Windows 7 + +You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones. + +If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). + +## Create an Enterprise Mode site list (TXT) file +You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.

**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. + +You must separate each site using commas or carriage returns. For example: + +``` +microsoft.com, bing.com, bing.com/images +``` +**-OR-** + +``` +microsoft.com +bing.com +bing.com/images +``` + +## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema +You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +Each XML file must include: + +- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser. + +- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.

**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5. + +- **<docMode> tag.**This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +### Enterprise Mode v.1 XML schema example +The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +``` + + + www.cpandl.com + www.woodgrovebank.com + adatum.com + contoso.com + relecloud.com + /about + + fabrikam.com + /products + + + + contoso.com + /travel + + fabrikam.com + /products + + + +``` + +To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (. + +## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1) +After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1). + + **To add multiple sites** + +1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**. + +2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +4. On the **File** menu, click **Save to XML**, and save your file.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +  + +  + + + diff --git a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md new file mode 100644 index 0000000000..c8077d0f92 --- /dev/null +++ b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -0,0 +1,119 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2). +author: eross-msft +ms.prod: ie11 +ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd +title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 10/24/2017 +--- + + +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones. + +To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md). + +## Create an Enterprise Mode site list (TXT) file + +You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. + +>**Important:**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company. + +You must separate each site using commas or carriage returns. For example: + +``` +microsoft.com, bing.com, bing.com/images +``` +**-OR-** + +``` +microsoft.com +bing.com +bing.com/images +``` + +## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema + +You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time. + +Each XML file must include: + +- **site-list version number**. This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.  + +- **<compat-mode> tag.** This tag specifies what compatibility setting are used for specific sites or domains. + +- **<open-in> tag.** This tag specifies what browser opens for each sites or domain. + +### Enterprise Mode v.2 XML schema example + +The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +``` + + + + EnterpriseSitelistManager + 10240 + 20150728.135021 + + + + IE8Enterprise + MSEdge + + + IE7Enterprise + IE11 + + + default + IE11 + + +``` +In the above example, the following is true: + +- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. + +- contoso.com, and all of its domain paths, can use the default compatibility mode for the site. + +To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2). + +## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2) +After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2). + + **To add multiple sites** + +1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**. + +2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.

+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +4. On the **File** menu, click **Save to XML**, and save your file.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) +  + +  + + + diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md new file mode 100644 index 0000000000..f6061375ab --- /dev/null +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -0,0 +1,63 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +author: eross-msft +ms.prod: ie11 +ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26 +title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) + +**Applies to:** + +- Windows 8.1 +- Windows 7 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. + +

**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md). + +## Adding a site to your compatibility list +You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager. +

**Note**
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md). + + **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)** + +1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. + +2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

+Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. + +3. Type any comments about the website into the **Notes about URL** box.

+Administrators can only see comments while they’re in this tool. + +4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE. + +The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. + +Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +5. Click **Save** to validate your website and to add it to the site list for your enterprise.

+If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. + +6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +  + +  + + + diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md new file mode 100644 index 0000000000..eafa1921a5 --- /dev/null +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -0,0 +1,79 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +author: eross-msft +ms.prod: ie11 +ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b +title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. + +

**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. + +## Adding a site to your compatibility list +You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.

+**Note**
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md). + + **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)** + +1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. + +2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

+Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. + +3. Type any comments about the website into the **Notes about URL** box.

+Administrators can only see comments while they’re in this tool. + +4. In the **Compat Mode** box, choose one of the following: + + - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode. + + - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode. + + - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode. + + - **Default Mode**. Loads the site using the default compatibility mode for the page. + + The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. + + Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. + + - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. + + - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. + + - **None**. Opens in whatever browser the employee chooses. + +6. Click **Save** to validate your website and to add it to the site list for your enterprise.

+If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. + +7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Next steps +After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +  + +  + + + diff --git a/browsers/enterprise-mode/administrative-templates-and-ie11.md b/browsers/enterprise-mode/administrative-templates-and-ie11.md new file mode 100644 index 0000000000..8f22d23808 --- /dev/null +++ b/browsers/enterprise-mode/administrative-templates-and-ie11.md @@ -0,0 +1,79 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: security +description: Administrative templates and Internet Explorer 11 +author: eross-msft +ms.prod: ie11 +ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3 +title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Administrative templates and Internet Explorer 11 + +Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including: + +- What registry locations correspond to each setting. + +- What value options or restrictions are associated with each setting. + +- The default value for many settings. + +- Text explanations about each setting and the supported version of Internet Explorer. + +For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519). + +## What are Administrative Templates? +Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates: + +- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor. + +- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language. + +## How do I store Administrative Templates? +As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs). +

**Important**
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see [Scenario 1: Editing the Local GPO Using ADMX Files](https://go.microsoft.com/fwlink/p/?LinkId=276810). + +## Administrative Templates-related Group Policy settings +When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder. +

**Note**
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the **PolicyDefinitions** folder on this computer. + +IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths: + +- Computer Configuration\\Administrative Templates\\Windows Components\\ + +- User Configuration\\Administrative Templates\\Windows Components\\ + + +|Catalog |Description | +| ------------------------------------------------ | --------------------------------------------| +|IE |Turns standard IE configuration on and off. | +|Internet Explorer\Accelerators |Sets up and manages Accelerators. | +|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. | +|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. | +|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.| +|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. | +|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. | +|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. | +|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. | +|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. | +|Internet Explorer\Privacy |Turns various privacy-related features on and off. | +|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. | +|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. | +|RSS Feeds |Sets up and manages RSS feeds in the browser. | + + +## Editing Group Policy settings +Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions: + +- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates. + +- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment. + +## Related topics +- [Administrative templates (.admx) for Windows 10 download](https://go.microsoft.com/fwlink/p/?LinkId=746579) +- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) + diff --git a/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md new file mode 100644 index 0000000000..24078753c7 --- /dev/null +++ b/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md @@ -0,0 +1,59 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Approve a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes. + +## Approve or reject a change request +The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request. + +**To approve or reject a change request** +1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page. + + The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane. + +2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons. + +3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**. + + An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request. + + +## Send a reminder to the Approver(s) group +If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group. + +- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**. + + An email is sent to the selected Approver(s). + + +## View rejected change requests +The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request. + +**To view the rejected change request** + +- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane. + + All rejected change requests appear, with role assignment determining which ones are visible. + + +## Next steps +After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md new file mode 100644 index 0000000000..cf0a576c0e --- /dev/null +++ b/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md @@ -0,0 +1,49 @@ +--- +title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros) +description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. +ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df +ms.prod: ie11 +ms.mktglfcycl: deploy +ms.pagetype: appcompat +ms.sitesec: library +author: eross-msft +ms.author: lizross +ms.date: 08/14/2017 +ms.localizationpriority: low +--- + + +# Check for a new Enterprise Mode site list xml file + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance. + +**How Internet Explorer 11 looks for an updated site list** + +1. Internet Explorer starts up and looks for an updated site list in the following places: + + 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list. + + 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list. + + 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry. + +2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. + +   + +  + +  + + + diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md new file mode 100644 index 0000000000..ff584c1c9d --- /dev/null +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -0,0 +1,479 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. +author: eross-msft +ms.prod: ie11 +ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 +title: Collect data using Enterprise Site Discovery +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Collect data using Enterprise Site Discovery + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 with Service Pack 1 (SP1) + +Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. + +>**Upgrade Analytics and Windows upgrades**
+>You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics-get-started). + + +## Before you begin +Before you start, you need to make sure you have the following: + +- Latest cumulative security update (for all supported versions of Internet Explorer): + + 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. + + ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) + + 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. + + ![affected software section](images/affectedsoftware.png) + + 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. + +- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including: + + - Configuration-related PowerShell scripts + + - IETelemetry.mof file + + - Sample System Center 2012 report templates + + You must use System Center 2012 R2 Configuration Manager or later for these samples to work. + +Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. + +## What data is collected? +Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. + +|Data point |IE11 |IE10 |IE9 |IE8 |Description | +|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| +|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | +|Domain | X | X | X | X |Top-level domain of the browsed site. | +|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | +|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | +|Document mode reason | X | X | | |The reason why a document mode was set by IE. | +|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | +|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | +|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | +|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | +|Number of visits | X | X | X | X |Number of times a site has been visited. | +|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | + + +>**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +### Understanding the returned reason codes +The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection. + +#### DocMode reason +The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.| +|4 |Page is using an X-UA-compatible meta tag. | +|5 |Page is using an X-UA-compatible HTTP header. | +|6 |Page appears on an active **Compatibility View** list. | +|7 |Page is using native XML parsing. | +|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. | +|9 |Page state is set by the browser mode and the page's DOCTYPE.| + +#### Browser state reason +The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. | +|2 |Site appears on an active **Compatibility View** list, created in Group Policy. | +|3 |Site appears on an active **Compatibility View** list, created by the user. | +|4 |Page is using an X-UA-compatible tag. | +|5 |Page state is set by the **Developer** toolbar. | +|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. | +|7 |Site appears on the Microsoft **Compatibility View (CV)** list. | +|8 |Site appears on the **Quirks** list, created in Group Policy. | +|11 |Site is using the default browser. | + +#### Zone +The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|-1 |Internet Explorer is using an invalid zone. | +|0 |Internet Explorer is using the Local machine zone. | +|1 |Internet Explorer is using the Local intranet zone. | +|2 |Internet Explorer is using the Trusted sites zone. | +|3 |Internet Explorer is using the Internet zone. | +|4 |Internet Explorer is using the Restricted sites zone. | + +## Where is the data stored and how do I collect it? +The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: + +- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. + +- **XML file**. Any agent that works with XML can be used. + +## WMI Site Discovery suggestions +We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company. + +On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:

250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB + +>**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +## Getting ready to use Enterprise Site Discovery +Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges +You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. + +>**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. + +**To set up Enterprise Site Discovery** + +- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). + +### WMI only: Set up your firewall for WMI data +If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: + +**To set up your firewall** + +1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. + +2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. + +3. Restart your computer to start collecting your WMI data. + +## Use PowerShell to finish setting up Enterprise Site Discovery +You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery). + +>**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. + +- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. + +- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. + +**To set up data collection using a domain allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. + + >**Important**
Wildcards, like \*.microsoft.com, aren’t supported. + +**To set up data collection using a zone allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. + + >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. + +## Use Group Policy to finish setting up Enterprise Site Discovery +You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery). + +>**Note**
 All of the Group Policy settings can be used individually or as a group. + + **To set up Enterprise Site Discovery using Group Policy** + +- Open your Group Policy editor, and go to these new settings: + + |Setting name and location |Description |Options | + |---------------------------|-------------|---------| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |

| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. | | + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone

Binary representation: *00010*, based on:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones

Binary representation: *10110*, based on:

1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone | + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | + +### Combining WMI and XML Group Policy settings +You can use both the WMI and XML settings individually or together: + +**To turn off Enterprise Site Discovery** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
+ +**Turn on WMI recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
+ +**To turn on XML recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
+ +**To turn on both WMI and XML recording** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
+ +## Use Configuration Manager to collect your data +After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### Collect your hardware inventory using the MOF Editor while connected to a client device +You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + + ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) + +2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. + +3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. + + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) + +4. Select the check boxes next to the following classes, and then click **OK**: + + - IESystemInfo + + - IEURLInfo + + - IECountInfo + +5. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the MOF Editor with a .MOF import file +You can collect your hardware inventory using the MOF Editor and a .MOF import file. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + +2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**. + +3. Pick the inventory items to install, and then click **Import**. + +4. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. + +**To collect your inventory** + +1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory. + +2. Add this text to the end of the file: + + ``` + [SMS_Report (TRUE), + SMS_Group_Name ("IESystemInfo"), + SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IESystemInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String SystemKey; + [SMS_Report (TRUE) ] + String IEVer; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IEURLInfo"), + SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IEURLInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String URL; + [SMS_Report (TRUE) ] + String Domain; + [SMS_Report (TRUE) ] + UInt32 DocMode; + [SMS_Report (TRUE) ] + UInt32 DocModeReason; + [SMS_Report (TRUE) ] + UInt32 Zone; + [SMS_Report (TRUE) ] + UInt32 BrowserStateReason; + [SMS_Report (TRUE) ] + String ActiveXGUID[]; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + [SMS_Report (TRUE) ] + UInt32 NumberOfVisits; + [SMS_Report (TRUE) ] + UInt32 MostRecentNavigationFailure; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IECountInfo"), + SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IECountInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String CountKey; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + }; + ``` + +3. Save the file and close it to the same location. + Your environment is now ready to collect your hardware inventory and review the sample reports. + +## View the sample reports with your collected data +The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. + +### SCCM Report Sample – ActiveX.rdl +Gives you a list of all of the ActiveX-related sites visited by the client computer. + +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) + +### SCCM Report Sample – Site Discovery.rdl +Gives you a list of all of the sites visited by the client computer. + +![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) + +## View the collected XML data +After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: + +``` xml + + + [dword] + [dword] + [dword] + + + [string] + + [guid] + + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [string] + [dword] + + + + +``` +You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list. + +**To add your XML data to your Enterprise Mode site list** + +1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. + + ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) + +2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +## Turn off data collection on your client devices +After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. + +**To stop collecting data, using PowerShell** + +- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1 –IEFeatureOff`. + + >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer. + + +**To stop collecting data, using Group Policy** + +1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**. + +2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location. + +### Delete already stored data from client computers +You can completely remove the data stored on your employee’s computers. + +**To delete all existing data** + +- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands: + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo` + + - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'` + +## Related topics +* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562) +* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) +  + + + diff --git a/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md b/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md new file mode 100644 index 0000000000..36066de055 --- /dev/null +++ b/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md @@ -0,0 +1,94 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. +author: eross-msft +ms.prod: ie11 +title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Use the Settings page to finish setting up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes. + +## Use the Environment settings area +This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications. + +**To add location info** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**. + +3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**. + +## Use the Group and role settings area +After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group. + +**To add a new group and determine the required change request Approvers** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Group and role settings** area of the page, click **Group details**. + + The **Add or edit group names** box appears. + +3. Click the **Add group** tab, and then add the following info: + + - **New group name.** Type name of your new group. + + - **Group head email.** Type the email address for the primary contact for the group. + + - **Group head name.** This box automatically fills, based on the email address. + + - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + + +**To set a group's required Approvers** +1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box. + +2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles. + + - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role. + +## Use the Freeze production changes area +This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date. + +**To add the start and end dates** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time. + +3. Click **Save**. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) \ No newline at end of file diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md new file mode 100644 index 0000000000..18b8b34406 --- /dev/null +++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md @@ -0,0 +1,70 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to create a change request within the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Create a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. + +>[!Important] +>Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +**To create a new change request** +1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. + + The **Create new request** page appears. + +2. Fill out the required fields, based on the group and the app, including: + + - **Group name.** Select the name of your group from the dropdown box. + + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. + + - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. + + - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list. + + - **Requested by.** Automatically filled in with your name. + + - **Description.** Add descriptive info about the app. + + - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**. + + - **Reason for request.** Select the best reason for why you want to update, delete, or add the app. + + - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. + + - **App location (URL).** The full URL location to the app, starting with http:// or https://. + + - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. + + - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/en-us/library/cc288325(v=vs.85).aspx). + +4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. + + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. + +5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. + + - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. + + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. + +## Next steps +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..13fd5539cd --- /dev/null +++ b/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,46 @@ +--- +ms.localizationpriority: low +description: Delete a single site from your global Enterprise Mode site list. +ms.pagetype: appcompat +ms.mktglfcycl: deploy +author: eross-msft +ms.prod: ie11 +ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a +title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + + + **To delete a single site from your global Enterprise Mode site list** + +- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
+The site is permanently removed from your list. + +If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system. + +- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) + +- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..c6e03cadc0 --- /dev/null +++ b/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,50 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. +author: eross-msft +ms.prod: ie11 +ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea +title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. + +If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md). + + **To change how your page renders** + +1. In the Enterprise Mode Site List Manager, double-click the site you want to change. + +2. Change the comment or the compatibility mode option. + +3. Click **Save** to validate your changes and to add the updated information to your site list.
+If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +4. On the **File** menu, click **Save to XML**, and save the updated file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md new file mode 100644 index 0000000000..20155271eb --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md @@ -0,0 +1,50 @@ +## Enterprise Mode and the Enterprise Mode Site List XML file +The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11. + +Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge. + +### Site list xml file + +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. + +```xml + + + + EnterpriseSiteListManager + 10586 + 20150728.135021 + + + + IE8Enterprise + IE11 + + + default + IE11 + + + IE7Enterprise + IE11 + + + + + IE8Enterprise" + IE11 + + + IE7 + IE11 + + + IE7 + IE11 + + + +``` \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode-features-include.md b/browsers/enterprise-mode/enterprise-mode-features-include.md new file mode 100644 index 0000000000..8090fc9ba8 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-features-include.md @@ -0,0 +1,16 @@ +### Enterprise Mode features +Enterprise Mode includes the following features: + +- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. + +- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. +Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema. + +- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. + + >[!Important] + >All centrally-made decisions override any locally-made choices. + +- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. + +- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md b/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md new file mode 100644 index 0000000000..b7d9399d77 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md @@ -0,0 +1,51 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. +author: eross-msft +ms.prod: ie11 +ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e +title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enterprise Mode for Internet Explorer 11 + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. + +## In this section +|Topic |Description | +|---------------------------------------------------------------|-----------------------------------------------------------------------------------| +|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. | +|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. | +|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. | +|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | +|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | +|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. | +|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.| +|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. | +|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. | +|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. | +|[Remove sites from a local compatibility view list](remove-sites-from-a-local-compatibililty-view-list.md) |Guidance about how to remove websites from a device's local compatibility view list. | +|[Turn off Enterprise Mode](turn-off-enterprise-mode.md) |Guidance about how to stop using your site list and how to turn off local control, using Group Policy or the registry. | +  + +  + +  + + + diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md new file mode 100644 index 0000000000..88711fd787 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md @@ -0,0 +1,233 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update. +author: eross-msft +ms.prod: ie11 +ms.assetid: 17c61547-82e3-48f2-908d-137a71938823 +title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Enterprise Mode schema v.1 guidance + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Use the Enterprise Mode Site List Manager (schema v.1) to create and update your Enterprise Mode site list for devices running the v.1 version of the schema, or the Enterprise Mode Site List Manager (schema v.2) to create and update your Enterprise Mode site list for devices running the v.2 version of the schema. We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. + +## Enterprise Mode schema v.1 example +The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. + +**Important**
+Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both http://contoso.com and https://contoso.com. + +``` xml + + + www.cpandl.com + www.woodgrovebank.com + adatum.com + contoso.com + relecloud.com + /about + + fabrikam.com + /products + + + + contoso.com + /travel + + fabrikam.com + /products + + + +``` + +### Schema elements +This table includes the elements used by the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ElementDescriptionSupported browser
<rules>Root node for the schema. +

Example +

+<rules version="205">
+  <emie>
+    <domain>contoso.com</domain>
+  </emie>
+</rules>
Internet Explorer 11 and Microsoft Edge
<emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. +

Example +

+<rules version="205">
+  <emie>
+    <domain>contoso.com</domain>
+  </emie>
+</rules>
+-or- +

For IPv6 ranges:

<rules version="205">
+  <emie>
+    <domain>[10.122.34.99]:8080</domain>
+  </emie>
+  </rules>
+-or- +

For IPv4 ranges:

<rules version="205">
+  <emie>
+    <domain>10.122.34.99:8080</domain>
+  </emie>
+  </rules>
Internet Explorer 11 and Microsoft Edge
<docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied. +

Example +

+<rules version="205">
+  <docMode>
+    <domain docMode="7">contoso.com</domain>
+  </docMode>
+</rules>
Internet Explorer 11
<domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. +

Example +

+<emie>
+  <domain>contoso.com:8080</domain>
+</emie>
Internet Explorer 11 and Microsoft Edge
<path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. +

Example +

+<emie>
+  <domain exclude="false">fabrikam.com
+    <path exclude="true">/products</path>
+  </domain>
+</emie>

+Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
+ +### Schema attributes +This table includes the attributes used by the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeDescriptionSupported browser
<version>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
<exclude>Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements. +

Example +

+<emie>
+  <domain exclude="false">fabrikam.com
+    <path exclude="true">/products</path>
+  </domain>
+</emie>

+Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
<docMode>Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section. +

Example +

+<docMode>
+  <domain exclude="false">fakrikam.com
+    <path docMode="7">/products</path>
+  </domain>
+</docMode>
Internet Explorer 11
+ +### Using Enterprise Mode and document mode together +If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. + +For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node. + +```xml + + + contoso.com + test.contoso.com + + + test.contoso.com + + +``` + +### What not to include in your schema +We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: +- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing. +- Don’t use wildcards. +- Don’t use query strings, ampersands break parsing. + +## How to use trailing slashes +You can use trailing slashes at the path-level, but not at the domain-level: +- **Domain-level.** Don’t add trailing slashes to a domain, it breaks parsing. +- **Path-level.** Adding a trailing slash to a path means that the path ends at that point. By not adding a trailing slash, the rule applies to all of the sub-paths. + +**Example** + +``` xml +contoso.com + /about/ + +``` +In this example, `contoso.com/about/careers` will use the default version of Internet Explorer, even though `contoso.com/about/` uses Enterprise Mode. + + +## How to target specific sites +If you want to target specific sites in your organization. + +|Targeted site |Example |Explanation | +|--------------|--------|------------| +|You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |

| +|You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|| +|You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> | | +|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> | | \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md new file mode 100644 index 0000000000..df6a01cb68 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md @@ -0,0 +1,298 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10. +author: eross-msft +ms.prod: ie11 +ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5 +title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 12/04/2017 +--- + + +# Enterprise Mode schema v.2 guidance + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 + +Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. + +**Important**
+If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +## Enterprise Mode schema v.2 updates +Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by: + +- <rules>. If your schema root node includes this key, you're using the v.1 version of the schema. + +- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema. + +You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, saving the v.1 version of the schema in the new Enterprise Mode Site List Manager (schema v.2) automatically updates the file to use the v.2 version of the schema. + +### Enterprise Mode v.2 schema example +The following is an example of the v.2 version of the Enterprise Mode schema. + +**Important**
+Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both http://contoso.com and https://contoso.com. +  +``` xml + + + + EnterpriseSitelistManager + 10240 + 20150728.135021 + + + + IE8Enterprise + MSEdge + + + default + IE11 + + + IE7Enterprise + IE11 + + + default + IE11 + + + default + none + + IE8Enterprise" + + + IE7 + IE11 + + + IE8Enterprise + IE11 + + + IE7 + IE11 + + +``` + +### Updated schema elements +This table includes the elements used by the v.2 version of the Enterprise Mode schema. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ElementDescriptionSupported browser
<site-list>A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>. +

Example +

+<site-list version="205">
+  <site url="contoso.com">
+    <compat-mode>IE8Enterprise</compat-mode>
+    <open-in>IE11</open-in>
+  </site>
+</site-list>
Internet Explorer 11 and Microsoft Edge
<site>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element. +

Example +

+<site url="contoso.com">
+  <compat-mode>default</compat-mode>
+  <open-in>none</open-in>
+</site>
+-or- +

For IPv4 ranges:

<site url="10.122.34.99:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+<site>

+-or- +

For IPv6 ranges:

<site url="[10.122.34.99]:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+<site>

+You can also use the self-closing version, <url="contoso.com" />, which also sets: +

    +
  • <compat-mode>default</compat-mode>
    • +
  • <open-in>none</open-in>
    • +
Internet Explorer 11 and Microsoft Edge
<compat-mode>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. +

Example +

+<site url="contoso.com">
+  <compat-mode>IE8Enterprise</compat-mode>
+</site>
+-or- +

For IPv4 ranges:

<site url="10.122.34.99:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+<site>

+-or- +

For IPv6 ranges:

<site url="[10.122.34.99]:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+<site>

+Where: +

    +
  • IE8Enterprise. Loads the site in IE8 Enterprise Mode.
    This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.

    • +

  • IE7Enterprise. Loads the site in IE7 Enterprise Mode.
    This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.

    Important
    This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.

    • +

  • IE[x]. Where [x] is the document mode number into which the site loads.

    • +

  • Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
    • +
Internet Explorer 11
<open-in>A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10. +

Example +

+<site url="contoso.com">
+  <open-in>none</open-in>
+</site>

+Where: +

    +
  • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.

    • +

  • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.

    • +

  • None or not specified. Opens in whatever browser the employee chooses.
    • +
Internet Explorer 11 and Microsoft Edge
+ +### Updated schema attributes +The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema. + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeDescriptionSupported browser
allow-redirectA boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser). +

Example +

+<site url="contoso.com/travel">
+  <open-in allow-redirect="true">IE11</open-in>
+</site>
+In this example, if http://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.		Internet Explorer 11 and Microsoft Edge
versionSpecifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.Internet Explorer 11 and Microsoft Edge
urlSpecifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL. +
Note
+Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com. +

Example +

+<site url="contoso.com:8080">
+  <compat-mode>IE8Enterprise</compat-mode>
+  <open-in>IE11</open-in>
+</site>
+In this example, going to http://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.		Internet Explorer 11 and Microsoft Edge
+ +### Deprecated attributes +These v.1 version schema attributes have been deprecated in the v.2 version of the schema: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Deprecated attributeNew attributeReplacement example
<forceCompatView><compat-mode>Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>
<docMode><compat-mode>Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>
<doNotTransition><open-in>Replace <doNotTransition="true"> with <open-in>none</open-in>
<domain> and <path><site>Replace: +
+<emie>
+  <domain exclude="false">contoso.com</domain>
+</emie>
+With: +
+<site url="contoso.com"/>
+  <compat-mode>IE8Enterprise</compat-mode>
+</site>
+-AND-

+Replace: +

+<emie>
+  <domain exclude="true">contoso.com
+     <path exclude="false" forceCompatView="true">/about</path>
+  </domain>
+</emie>
+With: +
+<site url="contoso.com/about">
+  <compat-mode>IE7Enterprise</compat-mode>
+</site>
+ +While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features. + +**Important**
+Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema. + +### What not to include in your schema +We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: + +- Don’t use protocols. For example, http://, https://, or custom protocols. They break parsing. +- Don’t use wildcards. +- Don’t use query strings, ampersands break parsing. + +## Related topics +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + + + + diff --git a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md new file mode 100644 index 0000000000..f1c67006ba --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md @@ -0,0 +1,36 @@ +## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools +You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier. + +### Enterprise Mode Site List Manager +This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. + +There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10: + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. + + We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. + + If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. + +### Enterprise Mode Site List Portal +The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. + +In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you: + +- Manage site lists from any device supporting Windows 7 or greater. + +- Submit change requests. + +- Operate offline through an on-premise solution. + +- Provide role-based governance. + +- Test configuration settings before releasing to a live environment. + +Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md new file mode 100644 index 0000000000..4ead83795d --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md @@ -0,0 +1,7 @@ +## Enterprise Mode Site List Manager versions +There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system. + +|Schema version |Operating system |Enterprise Site List Manager version | +|-----------------|---------------|------------------------------------| +|Enterprise Mode schema, version 2 (v.2) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.2) and the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), the XML is saved into the v.2 version of the schema.

For more info about the v.2 version of the schema, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).| +|Enterprise Mode schema, version 1 (v.1) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.1) and the v.1 version of the schema.

For more info about the v.1 version of the schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)| \ No newline at end of file diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md new file mode 100644 index 0000000000..663a632588 --- /dev/null +++ b/browsers/enterprise-mode/enterprise-mode.md @@ -0,0 +1,57 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use this section to learn about how to turn on Enterprise Mode. +author: shortpatti +ms.author: pashort +ms.prod: edge, ie11 +ms.assetid: +title: Enterprise Mode for Microsoft Edge +ms.sitesec: library +ms.date: '' +--- + +# Enterprise Mode for Microsoft Edge +Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers the confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. + +## Available dual-browser experiences + + +## Enterprise Mode features + + + + +## Enterprise Mode Site List management tools +...description of what you can do with these tools; also specify if you must use both or if each tool works independently and no dependencies on the other tool... I think these tools are for two different scenarios... + +You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple of tools that can make that process even easier. + +| | | +|---------|---------| +|Enterprise Mode Site List Manager |Use if your site list is relatively small. | +|Enterprise Mode Site List Portal |Use if your site list is too large to add individual sites, or if you have more than one person managing the sites. | + +### Enterprise Mode Site List Manager + + +### Enterprise Mode Site List Portal + + + +## Enterprise Mode Site List XML file +[!INCLUDE [enterprise-mode-and-enterprise-site-list-include](enterprise-mode-and-enterprise-site-list-include.md)] + + +## Turn on Enterprise Mode + + +### Add a single site to the site list + + +### Add mulitple sites to the site list + + diff --git a/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..8e779574c1 --- /dev/null +++ b/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,46 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. +author: eross-msft +ms.prod: ie11 +ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d +title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. This file includes all of your URLs, including your compatibility mode selections and should be stored somewhere safe. If your list gets deleted by mistake you can easily import this file and return everything back to when this file was last saved. + +**Important**
  +This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file. + + **To export your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**. + +2. Export the file to your selected location. For example, `C:\Users\\Documents\sites.emie`. + +## Related topics + +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/images/config-enterprise-site-list.png b/browsers/enterprise-mode/images/config-enterprise-site-list.png new file mode 100644 index 0000000000..82ffc30895 Binary files /dev/null and b/browsers/enterprise-mode/images/config-enterprise-site-list.png differ diff --git a/browsers/enterprise-mode/images/enterprise-mode-value-data.png b/browsers/enterprise-mode/images/enterprise-mode-value-data.png new file mode 100644 index 0000000000..9e9ece9c1a Binary files /dev/null and b/browsers/enterprise-mode/images/enterprise-mode-value-data.png differ diff --git a/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..963880eb75 --- /dev/null +++ b/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,45 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to clear all of the sites from your global Enterprise Mode site list. +author: eross-msft +ms.prod: ie11 +ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97 +title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can clear all of the sites from your global Enterprise Mode site list. + +**Important**   +This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system. + + **To clear your compatibility list** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**. + +2. Click **Yes** in the warning message.

Your sites are all cleared from your list. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md new file mode 100644 index 0000000000..546fe2133e --- /dev/null +++ b/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md @@ -0,0 +1,39 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to remove sites from a local compatibility view list. +author: eross-msft +ms.prod: ie11 +ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9 +title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove sites from a local compatibility view list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems. + + **To remove sites from a local compatibility view list** + +1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**. + +2. Pick the site to remove, and then click **Remove**.

+Sites can only be removed one at a time. If one is removed by mistake, it can be added back using this same box and the **Add** section. + +  + +  + + + diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md new file mode 100644 index 0000000000..8b15e9ddd5 --- /dev/null +++ b/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md @@ -0,0 +1,55 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Instructions about how to remove sites from a local Enterprise Mode site list. +author: eross-msft +ms.prod: ie11 +ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2 +title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Remove sites from a local Enterprise Mode site list + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems. + +**Note**
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator. + +  **To remove single sites from a local Enterprise Mode site list** + +1. Open Internet Explorer 11 and go to the site you want to remove. + +2. Click **Tools**, and then click **Enterprise Mode**.

+The checkmark disappears from next to Enterprise Mode and the site is removed from the list. + +**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again. + + **To remove all sites from a local Enterprise Mode site list** + +1. Open IE11, click **Tools**, and then click **Internet options**. + +2. Click the **Delete** button from the **Browsing history** area. + +3. Click the box next to **Cookies and website data**, and then click **Delete**. + +**Note**
This removes all of the sites from a local Enterprise Mode site list. + +   + +  + +  + + + diff --git a/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..7ec1867c5b --- /dev/null +++ b/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,43 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. +author: eross-msft +ms.prod: ie11 +ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a +title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Save your site list to XML in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. + + **To save your list as XML** + +1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**. + +2. Save the file to the location you specified in your Enterprise Mode registry key, set up when you turned on Enterprise Mode for use in your company. For information about the Enterprise Mode registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).

+The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md b/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md new file mode 100644 index 0000000000..f49ad80a75 --- /dev/null +++ b/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md @@ -0,0 +1,50 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Schedule approved change requests for production using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time. + +**To schedule an immediate change** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Now**, and then clicks **Save**. + + The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes. + + +**To schedule the change for a different day or time** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**. + + The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes. + + +## Next steps +After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..5292cf3570 --- /dev/null +++ b/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,41 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Search to see if a specific site already appears in your global Enterprise Mode site list. +author: eross-msft +ms.prod: ie11 +ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 +title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again. + + **To search your compatibility list** + +- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.

+The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md new file mode 100644 index 0000000000..bfb9659bd0 --- /dev/null +++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md @@ -0,0 +1,157 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Set up and turn on Enterprise Mode logging and data collection in your organization. +author: eross-msft +ms.prod: ie11 +ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde +title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Set up Enterprise Mode logging and data collection + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu. + +![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png) + +The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic. + +![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png) + +Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. + +## Using ASP to collect your data +When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. + + **To set up an endpoint server** + +1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609). + +2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.

+This lets you create an ASP form that accepts the incoming POST messages. + +3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port. + + ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png) + +4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box. + + ![IIS Manager, setting logging options](images/ie-emie-logging.png) + +5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.

+Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users. + +6. Apply these changes to your default website and close the IIS Manager. + +7. Put your EmIE.asp file into the root of the web server, using this command: + + ``` + <% @ LANGUAGE=javascript %> + <% + Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode")); + %> + ``` +This code logs your POST fields to your IIS log file, where you can review all of the collected data. + + +### IIS log file information +This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode. + +![Enterprise Mode log file](images/ie-emie-logfile.png) + + +## Using the GitHub sample to collect your data +Microsoft has created the [EMIE-Data-Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) that shows how to collect your Enterprise Mode reports. This sample only shows how to collect data, it doesn’t show how to aggregate the data into your Enterprise Mode site list.

+This sample starts with you turning on Enterprise Mode and logging (either through Group Policy, or by manually setting the EnterpriseMode registry key) so that your users can use Enterprise Mode locally. For the steps to do this, go to [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). + +**Note**
If you decide to manually change the registry key, you can change the **Enable** setting to `[deployment url]/api/records/`, which automatically sends your reports to this page. + +### Setting up, collecting, and viewing reports +For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report. + + **To set up the sample** + +1. Set up a server to collect your Enterprise Mode information from your users. + +2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project. + +3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file. + +4. On the **Build** menu, tap or click **Build Solution**.

+The required packages are automatically downloaded and included in the solution. + + **To set up your endpoint server** + +1. Right-click on the name, PhoneHomeSample, and click **Publish**. + + ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png) + +2. In the **Publish Web** wizard, pick the publishing target and options that work for your organization. + + **Important**
+ Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.  + + ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png) + + After you finish the publishing process, you need to test to make sure the app deployed successfully. + + **To test, deploy, and use the app** + +1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: + + ``` "Enable"="http:///api/records/" + ``` + Where `` points to your deployment URL. + +2. After you’re sure your deployment works, you can deploy it to your users using one of the following: + + - Turn on the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting, putting your `` information into the **Options** box. + + - Deploy the registry key in Step 3 using System Center or other management software. + +3. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary. + + **To view the report results** + +- Go to `http:///List` to see the report results.

+If you’re already on the webpage, you’ll need to refresh the page to see the results. + + ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) + + +### Troubleshooting publishing errors +If you have errors while you’re publishing your project, you should try to update your packages. + + **To update your packages** + +1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**. + + ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png) + +2. Click **Updates** on the left side of the tool, and click the **Update All** button.

+You may need to do some additional package cleanup to remove older package versions. + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) +  + +  + + + diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md new file mode 100644 index 0000000000..0aca62e070 --- /dev/null +++ b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md @@ -0,0 +1,232 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to set up the Enterprise Mode Site List Portal for your organization. +author: eross-msft +ms.prod: ie11 +title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Set up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment. + +## Step 1 - Copy the deployment folder to the web server +You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server. + +**To download the source code** +1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server. + +2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). + + >[!Note] + >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. + +3. Open File Explorer and then open the **EMIEWebPortal/** folder. + +4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**. + +5. Type _npm i_ into the command prompt, then press **Enter**. + + Installs the npm package manager and bulk adds all the third-party libraries back into your codebase. + +6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution. + +7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. + +## Step 2 - Create the Application Pool and website, by using IIS +Create a new Application Pool and the website, by using the IIS Manager. + +**To create a new Application Pool** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**. + + The **Add Application Pool** box appears. + +2. In the **Add Application Pool** box, enter the following info: + + - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_. + + - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher. + + - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content. + +3. Click **OK**. + +4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane. + + The **Advanced Settings** box appears. + +5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box. + +6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_. + +7. Right-click on the directory, click **Properties**, and then click the **Security** tab. + +8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer. + +9. Add **Everyone** to the list with **Read & execute access**. + +**To create the website** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**. + + The **Add Website** box appears. + +2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**. + + The **Select Application Pool** box appears. + +4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_. + +5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_. + +6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization. + +7. Clear the **Start Website immediately** check box, and then click **OK**. + +8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_. + + The **<website_name> Home** pane appears. + +9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. + + >[!Note] + >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. + +10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon. + +11. Open the **LOBMergedEntities Connection String** to edit: + + - **Data source.** Type the name of your local computer. + + - **Initial catalog.** The name of your database. + + >[!Note] + >Step 3 of this topic provides the steps to create your database. + +## Step 3 - Create and prep your database +Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. + +**To create and prep your database** +1. Start SQL Server Management Studio. + +2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine. + +3. Expand the instance, right-click on **Databases**, and then click **New Database**. + +4. Type a database name. For example, _EMIEDatabase_. + +5. Leave all default values for the database files, and then click **OK**. + +6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory. + +7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_. + +8. Run the query. + +## Step 4 - Map your Application Pool to a SQL Server role +Map your ApplicationPoolIdentity to your database, adding the db_owner role. + +**To map your ApplicationPoolIdentity to a SQL Server role** +1. Start SQL Server Management Studio and connect to your database. + +2. Expand the database instance and then open the server-level **Security** folder. + + > [!IMPORTANT] + > Make sure you open the **Security** folder at the server level and not for the database. + +3. Right-click **Logins**, and then click **New Login**. + + The **Login-New** dialog box appears. + +4. Type the following into the **Login name** box, based on your server instance type: + + - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_. + + - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`. + + > [!IMPORTANT] + > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID). + +5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane. + +6. Click **OK**. + +## Step 5 - Restart the Application Pool and website +Using the IIS Manager, you must restart both your Application Pool and your website. + +**To restart your Application Pool and website** +1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane. + +2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane. + +## Step 6 - Registering as an administrator +After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. + +**To register as an administrator** +1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085. + +2. Click **Register now**. + +3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box. + +4. Click **Administrator** from the **Role** box, and then click **Save**. + +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole. + + A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. + +6. Select your name from the available list, and then click **Activate**. + +7. Go to the Enterprise Mode Site List Portal Home page and sign in. + +## Step 7 - Configure the SMTP server and port for email notification +After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system. + +**To set up your SMTP server and port for emails** +1. Open Visual Studio, and then open the web.config file from your deployment directory. + +2. Update the SMTP server and port info with your info, using this format: + + ``` + + + ``` +3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info. + +## Step 8 - Register the scheduler service +Register the EMIEScheduler tool and service for production site list changes. + +**To register the scheduler service** + +1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. + + >[!Important] + >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. + +2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. + +3. Run the command, `InstallUtil ""`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._ + + You'll be asked for your user name and password for the service. + +4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) \ No newline at end of file diff --git a/browsers/enterprise-mode/turn-off-enterprise-mode.md b/browsers/enterprise-mode/turn-off-enterprise-mode.md new file mode 100644 index 0000000000..12a4ee7ffd --- /dev/null +++ b/browsers/enterprise-mode/turn-off-enterprise-mode.md @@ -0,0 +1,77 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it. +author: eross-msft +ms.prod: ie11 +ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3 +title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Turn off Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +It’s important that you test the sites you’re adding, or considering removing, from your Enterprise Mode site list. To make this testing easier, you can turn off the site list or the entire Enterprise Mode functionality. For example, you might have an intranet site on your list that you’ve upgraded to be compatible with the new web standards . If you test the site while the site list is active, Internet Explorer 11 will automatically switch to Enterprise Mode. By turning off the site list, you can see what the page actually looks like and decide whether to remove it from your site list. + +In addition, if you no longer want your users to be able to turn Enterprise Mode on locally, you can remove Enterprise Mode from the local **Tools** menu. + +**Important**
+Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode. + +  **To turn off the site list using Group Policy** + +1. Open your Group Policy editor, like Group Policy Management Console (GPMC). + +2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.

+Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately. + + **To turn off local control using Group Policy** + +1. Open your Group Policy editor, like Group Policy Management Console (GPMC). + +2. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**. + +3. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality. + + **To turn off the site list using the registry** + +1. Open a registry editor, such as regedit.exe. + +2. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.

+You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers. + +3. Close all and restart all instances of Internet Explorer.

+IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on). + + **To turn off local control using the registry** + +1. Open a registry editor, such as regedit.exe. + +2. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.

+You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers. + +3. Close and restart all instances of IE.

+Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on). + +## Related topics +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) +- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md new file mode 100644 index 0000000000..e4e3d83ec8 --- /dev/null +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -0,0 +1,47 @@ +Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing +centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. + +>[!NOTE] +>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. + +**Group Policy** + +1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** setting.

Turning this setting on also requires you to create and store a site list. + + + +2. Click **Enabled**, and then in the **Options** area, type the location to your site list. + +3. Refresh your policy and then view the affected sites in Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is. + +**Registry** + +All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. + +1. **To turn on Enterprise Mode for all users on the PC:** Open the registry editor and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode`. + +2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.

For example: + + + - **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"` + + - **Local network:** `"SiteList"="\\network\shares\sites.xml"` + + - **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"` + + > **Example:** + >> _Web URL_ http://localhost:8080/EnterpriseMode.xml + >> + >> _Network Share_ \\NetworkShare.xml (Place this inside the group policy folder on Sysvol) + >> + >> _Drive Letter_ C:.xml + + All of your managed devices must have access to this location if you want them to use Enterprise Mode and your site list. + +3. Refresh the policy in your organization and then view the affected sites in + Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. + At the same time, the page opens in IE11; in a new frame if it is not yet + running, or in a new tab if it is. diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md new file mode 100644 index 0000000000..0f5ff8d1f9 --- /dev/null +++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -0,0 +1,61 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Turn on local user control and logging for Enterprise Mode. +author: eross-msft +ms.prod: ie11 +ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1 +title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Turn on local control and logging for Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools. + +Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu. + + **To turn on local control of Enterprise Mode using Group Policy** + +1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting. + + ![group policy editor with emie setting](images/ie-emie-editpolicy.png) + +2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu. + + **To turn on local control of Enterprise Mode using the registry** + +1. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`. + +2. In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**. + +3. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates. + + ![edit registry string for data collection location](images/ie-emie-editregistrystring.png) + +Your **Value data** location can be any of the following types: + +- **URL location (like, http://www.emieposturl.com/api/records or http://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
+The `http://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. +- **Local network location (like, http://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. +- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. + +For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). + +  + +  + + + diff --git a/browsers/enterprise-mode/use-the-enterprise-mode-portal.md b/browsers/enterprise-mode/use-the-enterprise-mode-portal.md new file mode 100644 index 0000000000..d57c5f411b --- /dev/null +++ b/browsers/enterprise-mode/use-the-enterprise-mode-portal.md @@ -0,0 +1,80 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal. +ms.prod: ie11 +title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Use the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users. + +## Minimum system requirements for portal and test machines +Some of the components in this table might also need additional system resources. Check the component's documentation for more information. + +|Item |Description | +|-----|------------| +|Operating system |Windows 7 or later | +|Memory |16 GB RAM | +|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security | +|Active Directory (AD) |Devices must be domain-joined | +|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later | +|Visual Studio |Visual Studio 2015 or later | +|Node.js® package manager |npm Developer version or higher | +|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later | + +## Role assignments and available actions +Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table. + +|Role assignment |Available actions | +|----------------|------------------| +|Requester |

  • Create a change request


  • Validate changes in the pre-production environment


  • Rollback pre-production and production changes in case of failure


  • Send approval requests


  • View own requests


  • Sign off and close own requests
| +|Approver

(includes the App Manager and Group Head roles) |
  • All of the Requester actions, plus:


  • Approve requests
| +|Administrator |
  • All of the Requester and Approver actions, plus:


  • Add employees to the portal


  • Assign employee roles


  • Approve registrations to the portal


  • Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)


  • Use the standalone Enterprise Mode Site List Manager page


  • View reports
| + +## Enterprise Mode Site List Portal workflow by employee role +The following workflow describes how to use the Enterprise Mode Site List Portal. + +1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md) + +2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md) + +3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md) + +4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md) + +5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md) + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md) + +- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) +  + +  + + + diff --git a/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md new file mode 100644 index 0000000000..fbe6ddff8f --- /dev/null +++ b/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md @@ -0,0 +1,61 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager. +author: eross-msft +ms.prod: ie11 +ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b +title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 12/04/2017 +--- + + +# Use the Enterprise Mode Site List Manager + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. + +[!INCLUDE [enterprise-mode-site-list-mgr-versions-include](../../enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md)] + +## Using the Enterprise Mode Site List Manager +The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager. + +|Topic |Description | +|------|------------| +|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). | +|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). | +|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). | +|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). | +|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | +|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.

This topic applies to both versions of the Enterprise Mode Site List Manager. | + +## Related topics + + +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) +- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) +  + +  + + + diff --git a/browsers/enterprise-mode/using-enterprise-mode.md b/browsers/enterprise-mode/using-enterprise-mode.md new file mode 100644 index 0000000000..313a07e8e8 --- /dev/null +++ b/browsers/enterprise-mode/using-enterprise-mode.md @@ -0,0 +1,57 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: security +description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode. +author: eross-msft +ms.prod: ie11 +ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a +title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Using IE7 Enterprise Mode or IE8 Enterprise Mode + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode gives you a way for your legacy websites and apps to run using emulated versions of Windows Internet Explorer 7 or Windows Internet Explorer 8, while your new sites and apps run using Internet Explorer 11, including modern standards and features. + +Although it’s called IE7 Enterprise Mode, it actually turns on Enterprise Mode along with Internet Explorer 7 or Microsoft Internet Explorer 5 Compatibility View. Compatibility View chooses which document mode to use based on whether there’s a `DOCTYPE` tag in your code: + +- **DOCTYPE tag found.** Webpages render using the Internet Explorer 7 document mode. +- **No DOCTYPE tag found.** Webpages render using the Internet Explorer 5 document mode. + +**Important**
+Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the original functionality of Enterprise Mode to be IE8 Enterprise Mode. We’ve also replaced Edge Mode with IE11 Document Mode, so you can explicitly use IE11 on Windows 10. + +## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode +For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see: + +- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) + +- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) + +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) + +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) + +For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). + +## Related topics +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) +  + +  + + + diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md new file mode 100644 index 0000000000..94de88ee4e --- /dev/null +++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md @@ -0,0 +1,67 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Verify your changes using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +>[!Important] +>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: + +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. + +- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. + +- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry. + +## Verify and send the change request to Approvers +The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful. + +**To verify changes and send to the Approver(s)** +1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**. + + The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval. + + +**To rollback your pre-production changes** +1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**. + + The change request and issue info are sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment. + + After the Requester rolls back the changes, the request can be updated and re-submitted. + + +## View rolled back change requests +The original Requester and the Administrator(s) group can view the rolled back change requests. + +**To view the rolled back change request** + +- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane. + + All rolled back change requests appear, with role assignment determining which ones are visible. + +## Next steps +If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic. diff --git a/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md new file mode 100644 index 0000000000..00fb099e3f --- /dev/null +++ b/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md @@ -0,0 +1,42 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Verify the change request update in the production environment using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +## Verify and sign off on the update in the production environment +The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful. + +**To verify the changes and sign off** +- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**. + + The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off. + + +**To rollback production changes** +1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results. + +2. Add a description about the issue into the **Change description** box, and then click **Send failure details**. + + The info is sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the production environment. + + After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists. + diff --git a/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md b/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md new file mode 100644 index 0000000000..29d1d8afe9 --- /dev/null +++ b/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md @@ -0,0 +1,38 @@ +--- +ms.localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List. + +**To view the active Enterprise Mode Site List** +1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page. + + The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser. + + +**To export the active Enterprise Mode Site List** +1. On the **Production sites list** page, click **Export**. + +2. Save the ProductionSiteList.xlsx file. + + The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser. diff --git a/browsers/enterprise-mode/what-is-enterprise-mode-include.md b/browsers/enterprise-mode/what-is-enterprise-mode-include.md new file mode 100644 index 0000000000..34359d6f1b --- /dev/null +++ b/browsers/enterprise-mode/what-is-enterprise-mode-include.md @@ -0,0 +1,4 @@ +## What is Enterprise Mode? +Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. \ No newline at end of file diff --git a/browsers/includes/available-duel-browser-experiences-include.md b/browsers/includes/available-duel-browser-experiences-include.md new file mode 100644 index 0000000000..175646f824 --- /dev/null +++ b/browsers/includes/available-duel-browser-experiences-include.md @@ -0,0 +1,12 @@ +## Available dual-browser experiences +Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: + +- Use Microsoft Edge as your primary browser. + +- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies. + +- Use Microsoft Edge as your primary browser and open all intranet sites in IE11. + +- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies. + +For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog. \ No newline at end of file diff --git a/browsers/includes/configuration-options.md b/browsers/includes/configuration-options.md new file mode 100644 index 0000000000..2b2516dfe2 --- /dev/null +++ b/browsers/includes/configuration-options.md @@ -0,0 +1,11 @@ +## Configuration options +You can make changes to your deployment through the software management system you have chosen. + +### Choosing an update channel + +### Configure policies using Group Policy Editor + +### Configure policies using Registry Editor + +### Configure policies using Intune + diff --git a/browsers/includes/control-browser-content.md b/browsers/includes/control-browser-content.md new file mode 100644 index 0000000000..e32eda17a8 --- /dev/null +++ b/browsers/includes/control-browser-content.md @@ -0,0 +1,18 @@ +## Controlling browser content +This section explains how to control content in the browser. + +### Configure Pop-up Blocker +[configure-pop-up-blocker-include](../edge/includes/configure-pop-up-blocker-include.md) + +### Allow exentions +[allow-extensions-include](../edge/includes/allow-extensions-include.md) + +[send-all-intranet-sites-ie-include](../edge/includes/send-all-intranet-sites-ie-include.md) + +[keep-fav-sync-ie-edge-include](../edge/includes/keep-fav-sync-ie-edge-include.md) + +extensions +javascript +Tracking your browser: +- Do not track + diff --git a/browsers/includes/control-browsing-behavior.md b/browsers/includes/control-browsing-behavior.md new file mode 100644 index 0000000000..067eba3f7d --- /dev/null +++ b/browsers/includes/control-browsing-behavior.md @@ -0,0 +1,90 @@ + +# Control browsing behavior +This section explains how to contol the behavior of Microsoft Edge in certain circumstances. Besides changing how sites deplay and the look and feel of the browser itself, you can also change how the browser behaves, for example, you can change the settings for security. + + + +## Security settings + +## Cookies + +[configure-cookies-include](../edge/includes/configure-cookies-include.md) + +## Search engine settings +...shortdesc of search engines...how admins can control the default search engine... + +### Allow address bar suggestions +[allow-address-bar-suggestions-include](../edge/includes/allow-address-bar-suggestions-include.md) + +[configure-search-suggestions-address-bar-include](../edge/includes/configure-search-suggestions-address-bar-include.md) + +[allow-search-engine-customization-include](../edge/includes/allow-search-engine-customization-include.md) + +[configure-additional-search-engines-include](../edge/includes/configure-additional-search-engines-include.md) + +[set-default-search-engine-include](../edge/includes/set-default-search-engine-include.md) + + + + +## Extensions +Extensions allow you to add features and functionality directly into the browser itself. Choose from a range of extensions from the Microsoft Store. + + + +[Allow Extensions](../edge/available-policies.md#allow-extensions) + +[allow-sideloading-extensions-include](../edge/includes/allow-sideloading-extensions-include.md) + +[prevent-turning-off-required-extensions-include](../edge/includes/prevent-turning-off-required-extensions-include.md) + +## Home button settings +The Home page... + + +### Scenarios +You can specify www.bing.com or www.google.com as the startup pages for Microsoft Edge using "HomePages" (MDM) or Configure Start Pages (GP). You can also enable the Disable Lockdown of Start pages (GP) policy or set the the DisableLockdownOfStartPages (MDM) setting to 1 allowing users to change the Microsoft Edge start options. Additionally, you can enable the Disable Lockdown of Start Pages or set the DisableLockdownOfStartPages to 2 locking down the IT-provided URLs, but allowing users to add or remove additional URLs. Users cannot switch Startup setting to another, for example, to load New Tab page or "previous pages" at startup. + +### Configuration combinations + +| **Configure Home Button** | **Set Home Button URL** | **Unlock Home Button** | **Results** | +|---------------------------------|-------------------------|------------------------|---------------------------------| +| Not configured (0/Null default) | N/A | N/A | Shows home button and loads the Start page. | +| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and prevent users from making changes to it. | +| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and let users from making changes to it. | +| Enabled (2) | Enabled | Disabled (0 default) | Shows home button, loads custom URL defined in the Set Home Button URL policy, prevent users from changing what page loads. | +| Enabled (2) | Enabled | Enabled | Shows home button, loads custom URL defined in the Set Home Button URL policy, and allow users to change what page loads. | +| Enabled (3) | N/A | N/A | Hides home button. | +--- + +[configure-home-button-include](configure-home-button-include.md) + +[set-home-button-url-include](set-home-button-url-include.md) + +[unlock-home-button-include](unlock-home-button-include.md) + +## Start page settings + +[configure-start-pages-include](configure-start-pages-include.md) + +[disable-lockdown-of-start-pages-include](disable-lockdown-of-start-pages-include.md) + + + +## New Tab page settings + +[set-new-tab-url-include](set-new-tab-url-include.md) + +[allow-web-content-new-tab-page-include](allow-web-content-new-tab-page-include.md) + + +## Exit tasks + +[allow-clearing-browsing-data-include](allow-clearing-browsing-data-include.md) + + +## Kiosk mode + +[Configure kiosk mode](configure-microsoft-edge-kiosk-mode-include.md) + +[Configure kiosk reset after idle timeout](configure-edge-kiosk-reset-idle-timeout-include.md) diff --git a/browsers/includes/customize-look-and-feel.md b/browsers/includes/customize-look-and-feel.md new file mode 100644 index 0000000000..5bada8092e --- /dev/null +++ b/browsers/includes/customize-look-and-feel.md @@ -0,0 +1,2 @@ +## Customize the look and feel + diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md new file mode 100644 index 0000000000..21a3238bd5 --- /dev/null +++ b/browsers/includes/helpful-topics-include.md @@ -0,0 +1,28 @@ + +## Helpful information and additional resources +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) + +- [Use the Enterprise Mode Site List Manager](../enterprise-mode/use-the-enterprise-mode-site-list-manager.md) + +- [Collect data using Enterprise Site Discovery](../enterprise-mode/collect-data-using-enterprise-site-discovery.md) + +- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) + +- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) + +- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) + + + + + +- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) +- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) +- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md new file mode 100644 index 0000000000..2e8b76896b --- /dev/null +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -0,0 +1,12 @@ +If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. + +>[!IMPORTANT] +>Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do. + +1. In the Enterprise Mode Site List Manager, click **File \> Import**. + +2. Go to the exported .EMIE file.

For example, `C:\users\\documents\sites.emie` + +1. Click **Open**. + +2. Review the alert message about all of your entries being overwritten and click **Yes**. diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md new file mode 100644 index 0000000000..5937eb6bef --- /dev/null +++ b/browsers/includes/interoperability-goals-enterprise-guidance.md @@ -0,0 +1,28 @@ +## Interoperability goals and enterprise guidance + +Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. + +You must continue using IE11 if web apps use any of the following: + +* ActiveX controls + +* x-ua-compatible headers + +* <meta> tags + +* Enterprise mode or compatibility view to address compatibility issues + +* legacy document modes [what is this?] + +If you have uninstalled IE11, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. + +>[!TIP] +>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). + + +|Technology |Why it existed |Why we don't need it anymore | +|---------|---------|---------| +|ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | | +|Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | | +|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge will have a single “living” document mode. In order to minimize the compatibility burden, features will be tested behind switches in about:flags until they are stable and ready to be turned on by default. | + diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md index 5991583d77..229def58e0 100644 --- a/browsers/internet-explorer/TOC.md +++ b/browsers/internet-explorer/TOC.md @@ -1,7 +1,11 @@ #[IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md) + ##[Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md) + ##[System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md) + ##[List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md) + ##[Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md) ###[Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md) ####[Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md) @@ -18,8 +22,11 @@ ####[Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md) ####[Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md) ###[Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md) + ##[Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md) + ##[Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md) +###[Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md) ###[Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md) ###[Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md) ###[Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md) @@ -57,6 +64,8 @@ ###[Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md) ###[Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md) ###[Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md) + + ##[Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md) ###[Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md) ####[Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md) @@ -71,10 +80,12 @@ ###[Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md) ###[Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md) ###[Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md) + ##[Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md) ###[Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md) ###[Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md) ###[Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md) + ##[Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md) ###[Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md) ###[Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md) @@ -87,14 +98,27 @@ ###[Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md) ###[Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md) ###[Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md) + ##[Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md) +###[Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md) + ##[Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md) + ##[What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md) +###[Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) +###[Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md) + ##[Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md) + ##[Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md) + ##[Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md) + #[IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md) + #[Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md) +##[What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md) +##[Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md) ##[Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md) ###[Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md) ###[Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md) @@ -112,7 +136,9 @@ ###[Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md) ###[Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md) ###[Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md) +###[IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md) ###[Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md) + ##[Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md) ###[Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md) ###[Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md) @@ -140,6 +166,7 @@ ###[Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md) ###[Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md) ###[Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md) + ##[Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md) ###[Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md) ###[Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md) @@ -154,6 +181,7 @@ ###[Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md) ###[Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md) ###[Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md) + ##[IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md) ###[IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md) ###[Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md) diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index b7a205ddd2..34e8b2d487 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -17,7 +17,7 @@ "uhfHeaderId": "MSDocsHeader-WindowsIT", "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", - "ms.author": "lizross", + "ms.author": "shortpatti", "author": "eross-msft", "ms.technology": "internet-explorer", "ms.topic": "article", diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md index 64f64f1366..8cab9278d3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: How to use Group Policy to install ActiveX controls. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 59185370-558c-47e0-930c-8a5ed657e9e3 title: ActiveX installation using group policy (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md index 72e501af4b..bee3a36c25 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to add employees to the Enterprise Mode Site List Portal. -author: eross-msft +author: shortpatti ms.prod: ie11 title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md index 595d31fa6f..a399ecaa73 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md index c8077d0f92..1f1d14991d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2). -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md index f6061375ab..decdc115fa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26 title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index eafa1921a5..bdfc8633a7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md index 8f22d23808..2fc51f57c7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Administrative templates and Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3 title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md index 24078753c7..02bda50d22 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. -author: eross-msft +author: shortpatti ms.prod: ie11 title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md index ad2280f2c7..d28ba9a2ab 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: networking description: Auto configuration and auto proxy problems with Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 3fbbc2c8-859b-4b2e-abc3-de2c299e0938 title: Auto configuration and auto proxy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md index 918969c1b7..a1ba907f17 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: networking description: Auto configuration settings for Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 90308d59-45b9-4639-ab1b-497e5ba19023 title: Auto configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md index 825a383e16..180e1100b9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: networking description: Auto detect settings Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: c6753cf4-3276-43c5-aae9-200e9e82753f title: Auto detect settings Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md index b1097b8a83..99f85f37b8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: networking description: Auto proxy configuration settings for Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 5120aaf9-8ead-438a-8472-3cdd924b7d9e title: Auto proxy configuration settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md new file mode 100644 index 0000000000..70a66c3670 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md @@ -0,0 +1,40 @@ +--- +title: Blocked out-of-date ActiveX controls +description: This page is periodically updated with new ActiveX controls blocked by this feature. +author: shortpatti +ms.author: pashort +manager: elizapo +ms.date: 05/10/2018 +ms.topic: article +ms.prod: ie11 +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: security +ms.assetid: '' +ms.sitesec: library +--- + +# Blocked out-of-date ActiveX controls + +ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_. + +We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list. + +You will receive a notification if a webpage tries to load one of the following of ActiveX control versions: + +**Java** + +| Java 2 Platform, Standard Edition (J2SE) 1.4, everything below (but not including) update 43 | +|----------------------------------------------------------------------------------------------| +| J2SE 5.0, everything below (but not including) update 99 | +| Java SE 6, everything below (but not including) update 181 | +| Java SE 7, everything below (but not including) update 171 | +| Java SE 8, everything below (but not including) update 161 | +| Java SE 9, everything below (but not including) update 4 | + +**Silverlight** + +| Everything below (but not including) Silverlight 5.1.50907.0 | +|--------------------------------------------------------------| + +For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](http://go.microsoft.com/fwlink/?LinkId=403864). \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md index c7d3471de2..dc4bf14619 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md +++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: performance description: Browser cache changes and roaming profiles -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 85f0cd01-6f82-4bd1-9c0b-285af1ce3436 title: Browser cache changes and roaming profiles (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md index f93b098ea8..d53090e7ee 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md @@ -1,11 +1,11 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros) description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile. ms.mktglfcycl: deploy ms.prod: ie11 ms.sitesec: library -author: eross-msft +author: shortpatti ms.date: 07/27/2017 --- diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md index cf0a576c0e..9b2c6b0e6d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md +++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md @@ -6,10 +6,10 @@ ms.prod: ie11 ms.mktglfcycl: deploy ms.pagetype: appcompat ms.sitesec: library -author: eross-msft -ms.author: lizross +author: shortpatti +ms.author: pashort ms.date: 08/14/2017 -ms.localizationpriority: low +ms.localizationpriority: medium --- diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md index 81b5bf84d8..c92cdac5b8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Choose how to deploy Internet Explorer 11 (IE11) -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 21b6a301-c222-40bc-ad0b-27f66fc54d9d title: Choose how to deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md index 605f8ef5ff..0ed79bd249 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Choose how to install Internet Explorer 11 (IE11) -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 9572f5f1-5d67-483e-bd63-ffea95053481 title: Choose how to install Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index ff584c1c9d..201c1903c2 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 title: Collect data using Enterprise Site Discovery diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md index 36066de055..52e126df5a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. -author: eross-msft +author: shortpatti ms.prod: ie11 title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md index 18b8b34406..3d85d5801b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to create a change request within the Enterprise Mode Site List Portal. -author: eross-msft +author: shortpatti ms.prod: ie11 title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md index d740a697e0..a644d1d832 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Create packages for multiple operating systems or languages -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 44051f9d-63a7-43bf-a427-d0a0a1c717da title: Create packages for multiple operating systems or languages (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md index 8c69271b25..0bf4925ab6 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Customize Internet Explorer 11 installation packages -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd title: Customize Internet Explorer 11 installation packages (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 13fd5539cd..4549be210a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium description: Delete a single site from your global Enterprise Mode site list. ms.pagetype: appcompat ms.mktglfcycl: deploy -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md index 89681e6c97..59bb64352d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS). -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: f51224bd-3371-4551-821d-1d62310e3384 title: Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md index aa62287130..1441f5564f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Deploy Internet Explorer 11 using software distribution tools -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: fd027775-651a-41e1-8ec3-d32eca876d8a title: Deploy Internet Explorer 11 using software distribution tools (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md index 98d265dc2f..d6ea666402 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c title: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md index ec4c251fca..57bc32ac4a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 00cb1f39-2b20-4d37-9436-62dc03a6320b title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md index c6e03cadc0..504bd09a21 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md index a607034785..0d7ebd65fa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md @@ -1,5 +1,5 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Enable and disable add-ons using administrative templates and group policy diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md index 4d98f914c6..5c5693833e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Enhanced Protected Mode problems with Internet Explorer -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45 title: Enhanced Protected Mode problems with Internet Explorer (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md index b7d9399d77..6a0402921f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md index 88711fd787..154ad6670a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 17c61547-82e3-48f2-908d-137a71938823 title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index df6a01cb68..354fe81545 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5 title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md index 8e779574c1..88fe3e4d99 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md index c9cb13e685..99b28d4482 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 4b21bb27-aeac-407f-ae58-ab4c6db2baf6 title: Fix web compatibility issues using document modes and the Enterprise Mode site list (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md index 62e79b50ba..d3209fc547 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 9f80e39f-dcf1-4124-8931-131357f31d67 title: Fix validation problems using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md index 6292d0894b..213c9481d9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 63a7ef4a-6de2-4d08-aaba-0479131e3406 title: Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md index c0efadfe3c..35697cb576 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63 title: Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md index a6edc35240..df2143a7a8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 50383d3f-9ac9-4a30-8852-354b6eb9434a title: Group Policy and Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md index 1addebc886..b615824d04 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 6fc30e91-efac-4ba5-9ee2-fa77dcd36467 title: Group Policy, the Local Group Policy Editor, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md index 0a51d356c8..e8069dbf48 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Group Policy suggestions for compatibility with Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 7482c99f-5d79-4344-9e1c-aea9f0a68e18 title: Group Policy and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md index 61e3cff2c2..810c6ec4c0 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Overview of the available Group Policy management tools -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312 title: Group Policy management tools (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md index 075c799add..b676409da7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Info about Group Policy preferences versus Group Policy settings -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: f2264c97-7f09-4f28-bb5c-58ab80dcc6ee title: Group policy preferences and Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md index e9b1487a45..96f776d73e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 0da0d9a9-200c-46c4-96be-630e82de017b title: Group Policy problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md index 13c812647c..42a69458a5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: c6fbf990-13e4-4be7-9f08-5bdd43179b3b title: Group Policy, Shortcut Extensions, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md index c262a303fd..355eac531d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc title: Group Policy, Windows Powershell, and Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md new file mode 100644 index 0000000000..ad0704e0c4 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -0,0 +1,140 @@ +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: +author: shortpatti +ms.author: pashort +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +title: Internet Explorer 11 delivery through automatic updates +ms.sitesec: library +ms.date: 05/22/2018 +--- + +# Internet Explorer 11 delivery through automatic updates +Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. + +- [Automatic updates delivery process](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process) + +- [Internet Explorer 11 automatic upgrades](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#internet-explorer-11-automatic-upgrades) + +- [Options for blocking automatic delivery](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#options-for-blocking-automatic-delivery) + +- [Availability of Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#availability-of-internet-explorer-11) + +- [Prevent automatic installation of Internet Explorer 11 with WSUS](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#prevent-automatic-installation-of-internet-explorer-11-with-wsus) + +## Automatic updates delivery process + +Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 +to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their +current version of Internet Explorer. + +Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. + +>[!Note] +>If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. + +## Internet Explorer 11 automatic upgrades + +Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. + +Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. + +## Options for blocking automatic delivery + +If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: + +- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + + >[!Note] + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). + +- **Use an update management solution to control update deployment.** + If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. + + >[!Note] + >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](http://support.microsoft.com/kb/946202). + +Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). + +## Availability of Internet Explorer 11 + +Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the System Center Configuration Manager, Microsoft Systems Management Server, and WSUS. + +## Prevent automatic installation of Internet Explorer 11 with WSUS + +Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft + Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves an update that is classified as + Update Rollup, and then click **Edit.** + + >[!Note] + >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + + >[!Note] + >The properties for this rule will resemble the following:

  • When an update is in Update Rollups
  • Approve the update for all computers
+ +6. Clear the **Update Rollup** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box.

After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. + +8. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +9. Expand *ComputerName*, and then click **Synchronizations**. + +10. Click **Synchronize Now**. + +11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. + +12. Choose **Unapproved** in the **Approval**drop down box. + +13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. + + >[!Note] + >There may be multiple updates, depending on the imported language and operating system updates. + +**Optional** + +If you need to reset your Update Rollups packages to auto-approve, do this: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + +6. Check the **Update Rollups** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +>[!Note] +>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. + + +## Additional resources + +- [Automatic delivery process](what-is-the-internet-explorer-11-blocker-toolkit.md#automatic-delivery-process) + +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) + +- [Internet Explorer 11 delivery through automatic updates](https://technet.microsoft.com/microsoft-edge/dn449235) + +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/img-enterprise-mode-site-list-xml.jpg b/browsers/internet-explorer/ie11-deploy-guide/images/img-enterprise-mode-site-list-xml.jpg new file mode 100644 index 0000000000..0bcfd3b650 Binary files /dev/null and b/browsers/internet-explorer/ie11-deploy-guide/images/img-enterprise-mode-site-list-xml.jpg differ diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/img-f12-developer-tools-emulation.jpg b/browsers/internet-explorer/ie11-deploy-guide/images/img-f12-developer-tools-emulation.jpg new file mode 100644 index 0000000000..48ed75b701 Binary files /dev/null and b/browsers/internet-explorer/ie11-deploy-guide/images/img-f12-developer-tools-emulation.jpg differ diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md index 609f525151..ba9aba7115 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -1,7 +1,7 @@ --- description: A full-sized view of how document modes are chosen in IE11. title: Full-sized flowchart detailing how document modes are chosen in IE11 -author: eross-msft +author: shortpatti ms.date: 04/19/2017 --- diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md index 886721387e..8c224e01b5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: cacd5d68-700b-4a96-b4c9-ca2c40c1ac5f title: Import your Enterprise Mode site list to the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md index 79150cc05c..6d5935a29b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/index.md +++ b/browsers/internet-explorer/ie11-deploy-guide/index.md @@ -1,12 +1,12 @@ --- ms.mktglfcycl: deploy description: Use this guide to learn about the several options and processes you'll need to consider while you're planning for, deploying, and customizing Internet Explorer 11 for your employee's devices. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3 title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros) ms.sitesec: library -ms.localizationpriority: low +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md index 5d114ace45..94788e4dfc 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: caca18c1-d5c4-4404-84f8-d02bc562915f title: Install and Deploy Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md index 9acf8fd693..c72e03d477 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616 title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md index ee56fa3c64..7d3b1213f8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: e16f9144-170c-4964-a62d-0d1a16f4cd1f title: Install Internet Explorer 11 (IE11) using Microsoft Deployment Toolkit (MDT) and your Windows images (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md index 9153cdfb6f..ce93f99c12 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd title: Install Internet Explorer 11 (IE11) using System Center 2012 R2 Configuration Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md index 4d4a9a3cee..8d8382d64f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to install the Internet Explorer 11 update using your network -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 85f6429d-947a-4031-8f93-e26110a35828 title: Install Internet Explorer 11 (IE11) using your network (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md index 88a9864342..bd5133b8b9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to install the Internet Explorer 11 update using third-party tools and command-line options. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 30190c66-49f7-4ca4-8b57-a47656aa0c7e title: Install Internet Explorer 11 (IE11) using third-party tools (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md index 6f2a1b756b..7a95011950 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)' -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 6cbd6797-c670-4236-8423-e0919478f2ce title: Install Internet Explorer 11 (IE11) using Windows Server Update Services (WSUS) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md index 178528e352..f1136e386c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to fix potential installation problems with Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 3ae77745-86ac-40a9-a37d-eebbf37661a3 title: Install problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) @@ -48,7 +48,7 @@ If you get an error during the Windows Update process, see [Fix the problem with 5. Try to reinstall IE11 from either Windows Update (if you saw it in Step 3) or from the [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=327753) website. -If these steps didn't fix your problem, see [Troubleshooting a failed installation of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=304130). +   diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md index 6912fc0568..5be58eea07 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to fix intranet search problems with Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 3ee71d93-d9d2-48e1-899e-07932c73faa6 title: Fix intranet search problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md index 24f70c2132..16311a42a8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md +++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: eb3cce62-fc7b-41e3-97b6-2916b85bcf55 title: Manage Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md index 6a9333717f..563b6dee54 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 89084e01-4e3f-46a6-b90e-48ee58d6821c title: Missing Internet Explorer Maintenance settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md index 02bae6d9ba..c5e09b4cfb 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md +++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61 title: Missing the Compatibility View Button (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md index 2bc8d0a284..bed077a506 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support description: How to turn managed browser hosting controls back on in Internet Explorer 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: b0b7f60f-9099-45ab-84f4-4ac64d7bcb43 title: .NET Framework problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md index c484e544ab..d365ac1e78 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: New group policy settings for Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1 title: New group policy settings for Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md index 7bd0c006f9..66a5d8b70b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md +++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md @@ -1,14 +1,15 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use. -author: eross-msft +author: shortpatti +ms.author: pashort ms.prod: ie11 ms.assetid: e61866bb-1ff1-4a8d-96f2-61d3534e8199 title: Out-of-date ActiveX control blocking (Internet Explorer 11 for IT Pros) ms.sitesec: library -ms.date: 07/27/2017 +ms.date: 05/10/2018 --- @@ -47,7 +48,8 @@ It also works with these operating system and IE combinations: |Windows Server 2008 SP2 |Windows Internet Explorer 9 only | |Windows Vista SP2 |Windows Internet Explorer 9 only | -For more info about this new feature, see the [Internet Explorer begins blocking out-of-date ActiveX controls](https://go.microsoft.com/fwlink/p/?LinkId=507691) blog. To see the complete list of out-of-date Active controls blocked by this feature, see [Blocked out-of-date ActiveX controls](https://go.microsoft.com/fwlink/p/?LinkId=517023). +For more info about this new feature, see the [Internet Explorer begins blocking out-of-date ActiveX controls](https://go.microsoft.com/fwlink/p/?LinkId=507691) blog. To see the complete list of out-of-date Active controls blocked by this feature, see [Blocked out-of-date ActiveX controls](blocked-out-of-date-activex-controls.md). + ## What does the out-of-date ActiveX control blocking notification look like? When IE blocks an outdated ActiveX control, you’ll see a notification bar similar to this, depending on your version of IE: @@ -101,7 +103,7 @@ reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVe Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk. ## Out-of-date ActiveX control blocking on managed devices -Out-of-date ActiveX control blocking includes 4 new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system. +Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system. ### Group Policy settings Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration. diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md index 39ff7286c9..9e8959e2a9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6 title: Problems after installing Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 963880eb75..e63c2475a6 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Instructions about how to clear all of the sites from your global Enterprise Mode site list. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97 title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md index 546fe2133e..5037f6fe3c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Instructions about how to remove sites from a local compatibility view list. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9 title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md index 8b15e9ddd5..05a2e285bb 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Instructions about how to remove sites from a local Enterprise Mode site list. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2 title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md index 7ec1867c5b..d6bba6d3d8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md index f49ad80a75..06af735490 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. -author: eross-msft +author: shortpatti ms.prod: ie11 title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md index 5292cf3570..d4ac172352 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Search to see if a specific site already appears in your global Enterprise Mode site list. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9 title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index 899c3da6e3..cd31220caa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361 title: Set the default browser using Group Policy (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md index bfb9659bd0..8653264774 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Set up and turn on Enterprise Mode logging and data collection in your organization. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md index 0aca62e070..bb8a401b5c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to set up the Enterprise Mode Site List Portal for your organization. -author: eross-msft +author: shortpatti ms.prod: ie11 title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md index a5f7888b6a..55f9bcfe0a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support ms.pagetype: appcompat description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 2cd79988-17d1-4317-bee9-b3ae2dd110a0 title: Setup problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md index c756e654f2..212f8f717a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Lists the minimum system requirements and supported languages for Internet Explorer 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 27185e3d-c486-4e4a-9c51-5cb317c0006d title: System requirements and language support for Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) @@ -24,7 +24,7 @@ ms.date: 07/27/2017 Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. ## Minimum system requirements for IE11 -IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx). +IE11 is pre-installed on Windows 8.1, Windows 10, and Windows Server 2012 R2 and is listed here for reference. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx). **Important**
  IE11 isn't supported on Windows 8 or Windows Server 2012. diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md new file mode 100644 index 0000000000..de391cfd69 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md @@ -0,0 +1,133 @@ +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. +author: shortpatti +ms.author: pashort +ms.prod: ie11 +ms.assetid: +title: Tips and tricks to manage Internet Explorer compatibility +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# Tips and tricks to manage Internet Explorer compatibility + +Find out how to achieve better backward compatibility for your legacy web applications with the Enterprise Mode Site List. + +Jump to: +- [Tips for IT professionals](#tips-for-it-professionals) +- [Tips for web developers](#tips-for-web-developers) + +[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website. + +![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg) + +Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View. + +Compatibility View, first introduced with Internet Explorer 8, is basically a switch. If a webpage has no DOCTYPE, that page will be rendered in Internet Explorer 5 mode. If there is a DOCTYPE, the page will be rendered in Internet Explorer 7 mode. You can effectively get Compatibility View by specifying Internet Explorer 7 in the \ section, as this falls back to Internet Explorer 5 automatically if there's no DOCTYPE, or you can use IE7 Enterprise Mode for even better emulation. + +## Tips for IT professionals + +### Inventory your sites + +Upgrading to a new browser can be a time-consuming and potentially costly venture. To help reduce these costs, you can download the [Enterprise Site Discovery Toolkit](https://www.microsoft.com/download/details.aspx?id=44570), which can help you prioritize which sites you should be testing based on their usage in your enterprise. For example, if the data shows that no one is visiting a particular legacy web app, you may not need to test or fix it. The toolkit is supported on Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. The toolkit also gives you information about which document mode a page runs in your current browser so you can better understand how to fix that site if it breaks in a newer version of the browser. + +Once you know which sites to test and fix, the following remediation methods may help fix your compatibility issues in Internet Explorer 11 and Windows 10. + +### If you're on Internet Explorer 8 and upgrading to Internet Explorer 11: + +Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 documents modes, as well as IE8 Enterprise Mode and IE7 Enterprise Mode. + +- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 8 mode. This is because "edge" in Internet Explorer 8 meant Internet Explorer 8 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. + +- Sites without a DOCTYPE in zones other than Intranet will default to QME (or "interoperable quirks") rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. + +- Some sites may need to be added to both Enterprise Mode and Compatibility View to work. You can do this by adding the site to IE7 Enterprise Mode. + +### If you're on Internet Explorer 9 and upgrading to Internet Explorer 11: + +Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 9 document modes. + +- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 9 mode. This is because "edge" in Internet Explorer 9 meant Internet Explorer 9 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. + +- Sites without a DOCTYPE in zones other than Intranet will default to Interoperable Quirks rather than Internet Explorer 5 Quirks and may need to be set to Internet Explorer 5 mode. + +- If your sites worked in Internet Explorer 9, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. + +### If you're on Internet Explorer 10 and upgrading to Internet Explorer 11: + +Use the Enterprise Mode Site List to add sites to the Internet Explorer 5, Internet Explorer 7, and Internet Explorer 10 modes. + +- Sites with the *x-ua-compatible* meta tag or HTTP header set to "IE=edge" may break in Internet Explorer 11 and need to be set to Internet Explorer 10 mode. This is because "edge" in Internet Explorer 10 meant Internet Explorer 10 mode, but "edge" in Internet Explorer 11 means Internet Explorer 11 mode. + +- If your sites worked in Internet Explorer 10, you won't need IE8 Enterprise Mode or IE7 Enterprise Mode. + +### If you're on Internet Explorer 11 and upgrading to Windows 10: + +You're all set! You shouldn’t need to make any changes. + +## Tips for web developers + +If your website worked in an older version of Internet Explorer, but no longer works in Internet Explorer 11, you may need to update the site. Here are the set of steps you should take to find the appropriate remediation strategy. + +### Try document modes + +To see if the site works in the Internet Explorer 5, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, or Internet Explorer 11 document modes: + +- Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab. + + ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg) + +- Run the site in each document mode until you find the mode in which the site works. + + >[!NOTE] + >You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10. + +- If you find a mode in which your site works, you will need to add the site domain, sub-domain, or URL to the Enterprise Mode Site List for the document mode in which the site works, or ask the IT administrator to do so. You can add the *x-ua-compatible* meta tag or HTTP header as well. + +### Try IE8 Enterprise Mode + +If a document mode didn't fix your site, try IE8 Enterprise Mode, which benefits sites written for Internet Explorer 5, Internet Explorer 7, and Internet Explorer 8 document modes. + +- Enable the **Let users turn on and use Enterprise Mode from the Tools menu** policy locally on your machine. To do this: + + - Search for and run **gpedit.msc** + + - Navigate to **Computer Configuration** \> **Administrative Template** \> **Windows Components** \> **Internet Explorer**. + + - Enable the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting. + + After making this change, run **gpupdate.exe /force** to make sure the setting is applied locally. You should also make sure to disable this setting once you're done testing. Alternately, you can use a regkey; see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) for more information. + +- Restart Internet Explorer 11 and open the site you're testing, then go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. If the site works, inform the IT administrator that the site needs to be added to the IE8 Enterprise Mode section. + +### Try IE7 Enterprise Mode + +If IE8 Enterprise Mode doesn't work, IE7 Enterprise Mode will give you the Compatibility View behavior that shipped with Internet Explorer 8 with Enterprise Mode. To try this approach: + +- Go to the **Tools** menu, select **Compatibility View Settings**, and add the site to the list. + +- Go to **Emulation** tab in the **F12 Developer Tools** and select **Enterprise** from the **Browser profile** dropdown. + +If the site works, inform the IT administrator that the site needs to be added to the IE7 Enterprise Mode section.\ + +>[!NOTE] +>Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update. + +### Update the site for modern web standards + +We recommend that enterprise customers focus their new development on established, modern web standards for better performance and interoperability across devices, and avoid developing sites in older Internet Explorer document modes. We often hear that, due to fact that the Intranet zone defaults to Compatibility View, web developers inadvertently create new sites in the Internet Explorer 7 or Internet Explorer 5 modes in the Intranet zone, depending on whether or not they used a DOCTYPE. As you move your web apps to modern standards, you can enable the **Turn on Internet Explorer Standards Mode for local intranet** Group Policy setting and add those sites that need Internet Explorer 5 or Internet Explorer 7 modes to the Site List. Of course, it is always a good idea to test the app to ensure that these settings work for your environment. + +## Related resources + +- [Document modes](https://msdn.microsoft.com/library/dn384051(v=vs.85).aspx) +- [What is Enterprise Mode?](what-is-enterprise-mode.md) +- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) +- [Enterprise Site Discovery Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=44570) +- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) +- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md index 145aa1c678..7e28e38f9f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 0361c1a6-3faa-42b2-a588-92439eebeeab title: Troubleshoot Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md index 12a4ee7ffd..53ac1a4017 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3 title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md index 15e7a25f21..c98c3e7c5b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support description: Turn off natural metrics for Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: e31a27d7-662e-4106-a3d2-c6b0531961d5 title: Fix font rendering problems by turning off natural metrics (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md index c84927f98c..a46290559e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md @@ -6,10 +6,10 @@ ms.prod: ie11 ms.mktglfcycl: deploy ms.pagetype: appcompat ms.sitesec: library -author: eross-msft -ms.author: lizross +author: shortpatti +ms.author: pashort ms.date: 08/14/2017 -ms.localizationpriority: low +ms.localizationpriority: medium diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md index 0f5ff8d1f9..ea5b7d450b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Turn on local user control and logging for Enterprise Mode. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1 title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md index 9d2835bb5e..2d64e28d56 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: High-level info about some of the new and updated features for Internet Explorer 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156 title: List of updated features and tools - Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md index d57c5f411b..0da4b5a228 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md @@ -1,5 +1,5 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal. diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md index 166e02285f..9abbcb8a09 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md index 1db6c00d44..907b26056e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 7324faff-ccb6-4e14-ad91-af12dbca575e title: User interface problems with Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md index 313a07e8e8..14c7b096ac 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: security description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md index b86a7c45c5..f4d86e9b12 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use IEAK 11 while planning, customizing, and building the custom installation package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: af93742f-f955-44ab-bfa2-7bf0c99045d3 title: Using Internet Explorer Administration Kit 11 (IEAK 11) to create packages (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md index 16d9272749..1ccb850f60 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use Setup Information (.inf) files to create installation packages. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 04fa2ba8-8d84-4af6-ab99-77e4f1961b0e title: Using Setup Information (.inf) files to create packages (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md index 94de88ee4e..3f67e92d70 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. -author: eross-msft +author: shortpatti ms.prod: ie11 title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md index 00fb099e3f..66e6178858 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. -author: eross-msft +author: shortpatti ms.prod: ie11 title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md index 29d1d8afe9..af5ebf2e29 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. -author: eross-msft +author: shortpatti ms.prod: ie11 title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md index f7407d28f6..942409e353 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal. -author: eross-msft +author: shortpatti ms.prod: ie11 title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md index f1e4f5365d..d62ac7df09 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: virtualization description: Virtualization and compatibility with Internet Explorer 11 -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: b0388c04-2584-4b6d-a7a8-4e0476773a80 title: Virtualization and compatibility with Internet Explorer 11 (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md index 7c4b70d2bf..bd859900d1 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Info about the features included in Enterprise Mode with Internet Explorer 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index ea04329097..9809598bf3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -1,14 +1,16 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support ms.pagetype: security description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update. -author: eross-msft +author: shortpatti +ms.author: pashort +ms.manager: elizapo ms.prod: ie11 ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91 title: What is the Internet Explorer 11 Blocker Toolkit? (Internet Explorer 11 for IT Pros) ms.sitesec: library -ms.date: 07/27/2017 +ms.date: 05/10/2018 --- @@ -24,14 +26,14 @@ ms.date: 07/27/2017 The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update. -**Important**
-The IE11 Blocker Toolkit doesn't stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you've installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. +>[!IMPORTANT] +>The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. - **To install the toolkit** +## Install the toolkit 1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745). -2. Accept the license agreement and store the included 4 files on your local computer. +2. Accept the license agreement and store the included four files on your local computer. 3. Start an elevated Command Prompt by going to **Start**>**All Programs**>**Accessories**> right-clicking on **Command Prompt**, and then choosing **Run as Administrator**. @@ -44,9 +46,105 @@ Wait for the message, **Blocking deployment of IE11 on the local machine. The op For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](https://go.microsoft.com/fwlink/p/?LinkId=314063). -  +## Automatic updates +Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. -  +### Automatic delivery process +Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their current version of Internet Explorer. + +Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.  + +### Internet Explorer 11 automatic upgrades + +Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. + +Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. + +### Options for blocking automatic delivery + +If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: + +- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + + >[!NOTE] + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](#faq). + +- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. + +>[!NOTE] +>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. + + +### Prevent automatic installation of Internet Explorer 11 with WSUS + +Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** + + >[!NOTE] + >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + + >[!NOTE] + >The properties for this rule will resemble the following:

  • When an update is in Update Rollups
  • Approve the update for all computers
+ +6. Clear the **Update Rollup** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Synchronizations**. + +3. Click **Synchronize Now**. + +4. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. + +5. Choose **Unapproved** in the **Approval**drop down box. + +6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. + +>[!NOTE] +>There may be multiple updates, depending on the imported language and operating system updates. + +### Optional - Reset update rollups packages to auto-approve + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + +6. Check the **Update Rollups** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +>[!NOTE] +>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. +## Additional resources + +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + +- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.md) + +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) + +- [Internet Explorer 11 delivery through automatic updates](ie11-delivery-through-automatic-updates.md) + +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md index 02d3275c5c..e63b48ab92 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal. -author: eross-msft +author: shortpatti ms.prod: ie11 title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) ms.sitesec: library diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md index 9d9574cd8a..4d0aae1968 100644 --- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md +++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: explore description: Frequently asked questions about Internet Explorer 11 for IT Pros -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3 title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros) @@ -114,18 +114,11 @@ IE11 includes all of the previous Group Policy settings you've used to manage an For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md). -**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
-Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: - -- [Internet Explorer Administration Kit Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214250) on the Internet Explorer TechCenter. - -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) **Q: Where can I get more information about IE11 for IT pros?**
Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet. -**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
-Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center. + **Q: Can I customize settings for IE on Windows 8.1?**
Settings can be customized in the following ways: @@ -145,8 +138,62 @@ Group Policy settings can be set to open either IE or Internet Explorer for the |Always in IE11 |Links always open in IE. | |Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. | + +**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: +| | | | +|---------|---------|---------| +|[English](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | +|[Czech](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | +|[Finnish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | +|[Hebrew](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | +|[Japanese](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Portuguese (Brazil)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Spanish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + + + +**Q. What are the different modes available for the Internet Explorer Customization Wizard?** +The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md). + +The following table displays which pages are available in IEAK 11, based on the licensing mode: + +| **Wizard Pages** | **External** | **Internal** | +|-------------------------------------------|--------------|--------------| +| Welcome to the IEAK | Yes | Yes | +| File Locations | Yes | Yes | +| Platform Selection | Yes | Yes | +| Language Selection | Yes | Yes | +| Package Type Selection | Yes | Yes | +| Feature Selection | Yes | Yes | +| Automatic Version Synchronization | Yes | Yes | +| Custom Components | Yes | Yes | +| Corporate Install | No | Yes | +| User Experience | No | Yes | +| Browser User Interface | Yes | Yes | +| Search Providers | Yes | Yes | +| Important URLs - Home page and Support | Yes | Yes | +| Accelerators | Yes | Yes | +| Favorites, Favorites Bar, and Feeds | Yes | Yes | +| Browsing Options | No | Yes | +| First Run Wizard and Welcome Page Options | Yes | Yes | +| Compatibility View | Yes | Yes | +| Connection Manager | Yes | Yes | +| Connection Settings | Yes | Yes | +| Automatic Configuration | No | Yes | +| Proxy Settings | Yes | Yes | +| Security and Privacy Settings | No | Yes | +| Add a Root Certificate | Yes | No | +| Programs | Yes | Yes | +| Additional Settings | No | Yes | +| Wizard Complete | Yes | Yes | + + ## Related topics - [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) - +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md new file mode 100644 index 0000000000..3bba45984c --- /dev/null +++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md @@ -0,0 +1,118 @@ +--- +ms.localizationpriority: medium +ms.mktglfcycl: explore +description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. +author: shortpatti +ms.author: pashort +ms.prod: ie11 +ms.assetid: +title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions + +Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. + +>[!Important] +>If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment. + +- [Automatic updates delivery process]() + +- [How the Internet Explorer 11 Blocker Toolkit works]() + +- [Internet Explorer 11 Blocker Toolkit and other update services]() + +## Automatic Updates delivery process + + +**Q. Which users will receive Internet Explorer 11 as an important update?** +A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md). + +**Q. When is the Blocker Toolkit available?** +A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + +**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** +A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). + +**Q. How long does the blocker mechanism work?** +A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. + +**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?** +A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. + +The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or +other update management solution. + +**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** +A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. + +How the Internet Explorer 11 Blocker Toolkit works + +**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** +A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. + +**Q. What’s the registry key used to block delivery of Internet Explorer 11?** +A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 + +**Q. What’s the registry key name and values?** +The registry key name is **DoNotAllowIE11**, where: + +- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option. + +- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a + manual update. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** +A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** +A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. + +**Q. How does the provided script work?** +A. The script accepts one of two command line options: + +- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates. + +- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates. + +**Q. What’s the ADM template file used for?** +A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. + +**Q. Is the tool localized?** +A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. + +## Internet Explorer 11 Blocker Toolkit and other update services + +**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
+Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center. + +**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?** +A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. + +**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** +A. You only need to change your settings if: + +- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. + + -and- + +- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. + + -and- + +- You don’t want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now. + +If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation. + + +## Additional resources + +- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722) + +- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11) + +- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) + +- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index) diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md new file mode 100644 index 0000000000..3798a051af --- /dev/null +++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md @@ -0,0 +1,117 @@ +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. +author: shortpatti +ms.author: pashort +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +title: IEAK 11 - Frequently Asked Questions +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# IEAK 11 - Frequently Asked Questions + +Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful. + +**What is IEAK 11?** + +IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). + +**What are the supported operating systems?** + +You can customize and install IEAK 11 on the following supported operating systems: + +- Windows 8 + +- Windows Server 2012 + +- Windows 7 Service Pack 1 (SP1) + +- Windows Server 2008 R2 Service Pack 1 (SP1) + +>[!Note] +>IEAK 11 does not support building custom packages for Windows RT. +   + +**What can I customize with IEAK 11?** + +The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. + +>[!Note] +>Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. + +**Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +>[!Note] +>IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). + +**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
+Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: + +- [Internet Explorer Administration Kit Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214250) on the Internet Explorer TechCenter. + +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) + +**What are the different modes available for the Internet Explorer Customization Wizard?** +The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md). + +The following table displays which pages are available in IEAK 11, based on the licensing mode: + +| **Wizard Pages** | **External** | **Internal** | +|-------------------------------------------|--------------|--------------| +| Welcome to the IEAK | Yes | Yes | +| File Locations | Yes | Yes | +| Platform Selection | Yes | Yes | +| Language Selection | Yes | Yes | +| Package Type Selection | Yes | Yes | +| Feature Selection | Yes | Yes | +| Automatic Version Synchronization | Yes | Yes | +| Custom Components | Yes | Yes | +| Corporate Install | No | Yes | +| User Experience | No | Yes | +| Browser User Interface | Yes | Yes | +| Search Providers | Yes | Yes | +| Important URLs - Home page and Support | Yes | Yes | +| Accelerators | Yes | Yes | +| Favorites, Favorites Bar, and Feeds | Yes | Yes | +| Browsing Options | No | Yes | +| First Run Wizard and Welcome Page Options | Yes | Yes | +| Compatibility View | Yes | Yes | +| Connection Manager | Yes | Yes | +| Connection Settings | Yes | Yes | +| Automatic Configuration | No | Yes | +| Proxy Settings | Yes | Yes | +| Security and Privacy Settings | No | Yes | +| Add a Root Certificate | Yes | No | +| Programs | Yes | Yes | +| Additional Settings | No | Yes | +| Wizard Complete | Yes | Yes | + + +**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: +| | | | +|---------|---------|---------| +|[English](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | +|[Czech](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | +|[Finnish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | +|[Hebrew](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | +|[Japanese](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Portuguese (Brazil)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Spanish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + +## Additional resources + +[Download IEAK 11](https://technet.microsoft.com/microsoft-edge/bb219517) +[IEAK 11 overview](https://technet.microsoft.com/microsoft-edge/dn532244) +[IEAK 11 product documentation](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) +[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md) diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md index ef7b62be89..b56b2dedbf 100644 --- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 208305ad-1bcd-42f3-aca3-0ad1dda7048b title: Use the Accelerators page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md index e5159000fc..f2ab6f6f59 100644 --- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use IEAK 11 to add and approve ActiveX controls for your organization. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 33040bd1-f0e4-4541-9fbb-16e0c76752ab title: Add and approve ActiveX controls using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md index d7ec6692b6..b0b9219277 100644 --- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 7ae4e747-49d2-4551-8790-46a61b5fe838 title: Use the Add a Root Certificate page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md index 48566257bc..08b62952da 100644 --- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Additional Settings page in IEAK 11 Customization Wizard for additional settings that relate to your employee’s desktop, operating system, and security. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: c90054af-7b7f-4b00-b55b-5e5569f65f25 title: Use the Additional Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md index 37a45e2b99..b31c220601 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Automatic Configuration page in the IEAK 11 Customization Wizard to add URLs to auto-configure IE. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: de5b1dbf-6e4d-4f86-ae08-932f14e606b0 title: Use the Automatic Configuration page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md index b44afa30dd..0752aaac38 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: c6bfe7c4-f452-406f-b47e-b7f0d8c44ae1 title: Set up auto detection for DHCP or DNS servers using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md index 08a43eb829..ae8a5441f1 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Automatic Version Synchronization page in the IEAK 11 Customization Wizard to download the IE11 Setup file each time you run the Wizard. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: bfc7685f-843b-49c3-8b9b-07e69705840c title: Use the Automatic Version Synchronization page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md index d8c5cb0595..6970178857 100644 --- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md @@ -1,26 +1,29 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: A list of steps to follow before you start to create your custom browser installation packages. -author: eross-msft +author: shortpatti +ms.author: pashort +ms.manager: elizapo ms.prod: ie11 ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4 title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) ms.sitesec: library -ms.date: 07/27/2017 +ms.date: 04/24/2018 --- # Before you start using IEAK 11 -Go through this list, making sure you’ve answered all of the questions before you run Internet Explorer Administration Kit 11 (IEAK 11) and the Customization Wizard. + +Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements: - Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). - Do you meet the necessary hardware and software requirements? See [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md). -- Have you gotten all of the URLs you’ll need so you can customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md). +- Have you gotten all of the URLs needed to customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md). -- Have you reviewed the security features, determining how you want to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md). +- Have you reviewed the security features to determine how to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md). - Have you created a test lab, where you can run the test version of your browser package to make sure it runs properly? diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md index 08ee07f8b4..5a0efa8edf 100644 --- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: cde600c6-29cf-4bd3-afd1-21563d2642df title: Use the Branding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md index 6ac05013ef..03b1f4eddb 100644 --- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: c4a18dcd-2e9c-4b5b-bcc5-9b9361a79f0d title: Use the Browser User Interface page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md index 0bd9e797de..e317f9ebc8 100644 --- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 83af0558-9df3-4c2e-9350-44f7788efa6d title: Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar and buttons (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md index bb57b71af9..b602a68d7f 100644 --- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section. -author: eross-msft +author: shortpatti ms.prod: ie111 ms.assetid: d6bd71ba-5df3-4b8c-8bb5-dcbc50fd974e title: Use the Browsing Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md index 1f1568989d..d7a3094423 100644 --- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[CabSigning\] .INS file setting to customize the digital signature info for your apps. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 098707e9-d712-4297-ac68-7d910ca8f43b title: Use the CabSigning .INS file to customize the digital signature info for your apps (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md index d1b7a58fc8..64b989ddcb 100644 --- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md @@ -1,9 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.pagetype: appcompat description: We’re sorry. We’ve removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 51d8f80e-93a5-41e4-9478-b8321458bc30 title: Use the Compatibility View page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md index caff7eef0b..2e8573d0f1 100644 --- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: We’re sorry. We’ve removed all of the functionality included on the **Connection Manager** page of the Internet Explorer Customization Wizard 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 1edaa7db-cf6b-4f94-b65f-0feff3d4081a title: Use the Connection Manager page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md index 188bf23d91..a54ca3f9f5 100644 --- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Connection Settings page in IEAK 11 Customization Wizard to import and preset connection settings on your employee’s computers. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: dc93ebf7-37dc-47c7-adc3-067d07de8b78 title: Use the Connection Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md index e62028f5b1..0112c0f16f 100644 --- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 41410300-6ddd-43b2-b9e2-0108a2221355 title: Use the ConnectionSettings .INS file to review the network connections for install (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md index 7c8092e8e7..b8981f575f 100644 --- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: How to create your folder structure on the computer that you’ll use to build your custom browser package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: e0d05a4c-099f-4f79-a069-4aa1c28a1080 title: Create the build computer folder structure using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md index 064abc480c..4827fc1c75 100644 --- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Review this list of tasks and references before you create and deploy your Internet Explorer 11 custom install packages. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: fe71c603-bf07-41e1-a477-ade5b28c9fb3 title: Tasks and references to consider before creating and deploying custom packages using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md index b90fa80eca..cb1a3823fc 100644 --- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 4c5f3503-8c69-4691-ae97-1523091ab333 title: Create multiple versions of your custom package using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md index 857f487d7f..e9cb1ff4ce 100644 --- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md +++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 8257aa41-58de-4339-81dd-9f2ffcc10a08 title: Use Setup information (.inf) files to uninstall custom components (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md index 16614c697a..5b7532f69e 100644 --- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 38a2b90f-c324-4dc8-ad30-8cd3e3e901d7 title: Use the Custom Components page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md index 7cba88970a..9d4d9f6b4f 100644 --- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 9c74e239-65c5-4aa5-812f-e0ed80c5c2b0 title: Use the CustomBranding .INS file to create custom branding and setup info (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md index 80cee645af..a4bbac4b2e 100644 --- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md +++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: manage description: Customize Automatic Search in Internet Explorer so that your employees can type a single word into the Address box to search for frequently used pages. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 694e2f92-5e08-49dc-b83f-677d61fa918a title: Customize Automatic Search using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md index 6313b77ce4..4c3726a566 100644 --- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 53148422-d784-44dc-811d-ef814b86a4c6 title: Use the ExtRegInf .INS file to specify your installation files and mode (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md index ab4693d199..7b876c2cea 100644 --- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 84afa831-5642-4b8f-b7df-212a53ec8fc7 title: Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md index 90775765d1..68953ff98d 100644 --- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 55de376a-d442-478e-8978-3b064407b631 title: Use the FavoritesEx .INS file for your Favorites icon and URLs (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md index 66412ddd7b..4baf035425 100644 --- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 9cb8324e-d73b-41ba-ade9-3acc796e21d8 title: Use the Feature Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md index fa1550cab1..70f59f0665 100644 --- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: bd0620e1-0e07-4560-95ac-11888c2c389e title: Use the File Locations page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md index 6dcbc164e7..d782c47cf9 100644 --- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11). -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: e5735074-3e9b-4a00-b1a7-b8fd8baca327 title: File types used or created by IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md index 76e5afbc12..8ee207bf57 100644 --- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 85f856a6-b707-48a9-ba99-3a6e898276a9 title: Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md index f4aeec37b6..f3fbc10a27 100644 --- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: bddc8f23-9ac1-449d-ad71-f77f43ae3b5c title: Customize the toolbar button and Favorites List icons using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md index 37a841bff1..6e1b19b500 100644 --- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: c50b86dc-7184-43d1-8daf-e750eb88dabb title: Hardware and software requirements for Internet Explorer 11 and the IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md index 2787a57d1d..a0cec600e1 100644 --- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: e673f7b1-c3aa-4072-92b0-20c6dc3d9277 title: Use the HideCustom .INS file to hide the GUID for each custom component (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md index d91e9cf5a9..3363f80ab6 100644 --- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md +++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Reference about the command-line options and return codes for Internet Explorer Setup. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 40c23024-cb5d-4902-ad1b-6e8a189a699f title: Internet Explorer Setup command-line options and return codes (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md new file mode 100644 index 0000000000..21b4aa46b2 --- /dev/null +++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md @@ -0,0 +1,46 @@ +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. +author: shortpatti +ms.author: pashort +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +title: Internet Explorer Administration Kit (IEAK) information and downloads +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# Internet Explorer Administration Kit (IEAK) information and downloads + +The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md). + +## Internet Explorer Administration Kit 11 (IEAK 11) + +[IEAK 11 documentation](index.md) + +[IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) + +[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) + +[Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](before-you-create-custom-pkgs-ieak11.md) + +## Download IEAK + +To download, choose to **Open** the download or **Save** it to your hard drive first. + + +| | | | +|---------|---------|---------| +|[English](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[German](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Polish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Chinese (Simplified)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Greek](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |[Portuguese (Brazil)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) | +|[Chinese (Traditional)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |[Hebrew](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Portuguese (Portugal)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) | +|[Czech](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Hungarian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Russian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Danish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Italian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |[Spanish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) | +|[Dutch](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |[Japanese](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Swedish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) | +|[Finnish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[Korean](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Turkish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md index 133cd15ddf..1e17bda2eb 100644 --- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md +++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Review the options available to help you customize your browser install packages for deployment to your employee's devices. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 4b804da3-c3ac-4b60-ab1c-99536ff6e31b title: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md index 2e17b2bb73..c2483af8c4 100644 --- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md +++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Reference about the command-line options for the IExpress Wizard. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: aa16d738-1067-403c-88b3-bada12cf9752 title: IExpress Wizard command-line options (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md index 060b389a44..235580070d 100644 --- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md +++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the IExpress Wizard on Windows Server 2008 R2 with SP1 to create self-extracting files to run your custom Internet Explorer Setup program. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 5100886d-ec88-4c1c-8cd7-be00da874c57 title: IExpress Wizard for Windows Server 2008 R2 with SP1 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md index 85f09f674c..60b082565b 100644 --- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Important URLs - Home Page and Support page in the IEAK 11 Customization Wizard to choose one or more **Home** pages and an online support page for your customized version of IE. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 19e34879-ba9d-41bf-806a-3b9b9b752fc1 title: Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index fcabf300fc..74c0cbdb1c 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -1,26 +1,32 @@ --- ms.mktglfcycl: plan description: IEAK 11 - Internet Explorer Administration Kit 11 Users Guide -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros) ms.sitesec: library -ms.localizationpriority: low +ms.localizationpriority: medium ms.date: 07/27/2017 --- # Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide + +The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. + Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices. -**Important**
-Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary. +>[!IMPORTANT] +>Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary. -## IEAK 11 users -IEAK 11 includes programs and tools that enterprises can use to customize, deploy, and administer Internet Explorer 11 for employee devices, while Internet service and content providers can use the same programs and tools to customize, deploy, and administer Internet Explorer 11 for customers. -IEAK 11 works in network environments, with or without Microsoft Active Directory service. +## Included technology +IEAK 11 includes the following technology: +- **Internet Explorer Customization Wizard.** This wizard guides you through the process of creating custom browser packages. After these packages are installed on your user's desktop, the user receives customized versions of Internet Explorer 11, with the settings and options you selected through the wizard. +- **Windows Installer (MSI).** IEAK 11 supports creating an MSI wrapper for your custom Internet Explorer 11 packages, enabling you to use Active Directory to deploy the package to your user's PC. +- **IEAK Help.** IEAK 11 Help includes many conceptual and procedural topics, which you can view from the **Index**, **Contents**, or **Search** tabs. You also have the option to print any topic, or the entire Help library. + ## Naming conventions IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 Update and newer versions of the Windows operating system: @@ -33,7 +39,10 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 |Internet Explorer Customization Wizard 11 |Step-by-step wizard screens that help you create custom IE11 installation packages. | ## Related topics +- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) +- [Download IEAK 11](ieak-information-and-downloads.md) +- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) +- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) - [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) - +- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md index e49c34deeb..30e1694ffe 100644 --- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 33d078e3-75b8-455b-9126-f0d272ed676f title: Use the Internal Install page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md index def833847a..ba4e23f6df 100644 --- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 4eca2de5-7071-45a2-9c99-75115be00d06 title: Use the ISP_Security .INS file to add your root certificate (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md index cf43edbff7..cd6540d994 100644 --- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Language Selection page in the IEAK 11 Customization Wizard to choose the lanaguage for your IEAK 11 custom package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: f9d4ab57-9b1d-4cbc-9398-63f4938df1f6 title: Use the Language Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 6a0c89fda8..c69fbd1f67 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -1,21 +1,26 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Learn about which version of the IEAK 11 you should run, based on your license agreement. -author: eross-msft -ms.prod: ie11 +author: pashort +ms.author: shortpatti +ms.manager: elizapo +ms.prod: ie11, ieak11 ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15 title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) ms.sitesec: library -ms.date: 07/27/2017 +ms.date: 05/02/2018 --- # Determine the licensing version and features to use in IEAK 11 -You must pick a version of IEAK 11 to run during installation, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can pick from, the steps you’ll have to follow to deploy your Internet Explorer 11 package, and how you’ll manage the browser after deployment. +In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11) (IEAK 11, the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment. -- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you’re an ISP or an ICP, your license agreement also says that you have to show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.

-**Important**
Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. +During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment. + +- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website. + >[!IMPORTANT] + >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. - **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment. @@ -45,8 +50,53 @@ You must pick a version of IEAK 11 to run during installation, either **Externa |Automatic configuration |Not available | |Proxy settings |Proxy settings | |Security and privacy settings |Not available | -|Not available |Add a root certificate | +|Add a root certificate |Not available | |Programs |Programs | |Additional settings |Not available | |Wizard complete |Wizard complete | +## Customization guidelines + +Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. + +- **External Distribution** + This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers). + +- **Internal Distribution** + This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet. + +The table below identifies which customizations you may or may not perform based on the mode you selected. + +| **Feature Name** | **External Distribution** | **Internal Distribution** | +|---------------------------------|----------------------|-------------------| +| **Custom Components** | Yes | Yes | +| **Title Bar** | Yes | Yes | +| **Favorites** | One folder, containing any number of links. | Any number of folders/links. | +| **Search Provider URLs** | Yes | Yes | +| **Search Guide URL** | No | Yes | +| **Online Support URL** | Yes | Yes | +| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. | +| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. | +| **Homepage URLs** | Can add a maximum of three. | Unlimited. | +| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. | +| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. | +| **Browsing Options** | No | Yes | +| **Security and Privacy Settings** | No | Can add any number of sites. | +| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes | +| **User Experience** (Setup/Restart) | No | Yes | +| **User Agent String** | Yes | Yes | +| **Compatibility View** | Yes | Yes | +| **Connection Settings and Manage** | Yes | Yes | + + +Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options). + +## Distribution guidelines + +Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. + +- **External Distribution** + You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [!INCLUDE [microsoft-browser-extension-policy-include](../../edge/microsoft-browser-extension-policy-include.md)]. + +- **Internal Distribution - corporate intranet** + The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md index 4dd05077cf..ff473d6648 100644 --- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: c57bae60-d520-49a9-a77d-da43f7ebe5b8 title: Use the Media .INS file to specify your install media (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md index e452b86aef..19e75dbdca 100644 --- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: dd91f788-d05e-4f45-9fd5-d951abf04f2c title: Use the Package Type Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md index fe9ee2e713..9bac11b82d 100644 --- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218 title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md index b21003374e..d6e16707bd 100644 --- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 2c66d22a-4a94-47cc-82ab-7274abe1dfd6 title: Before you install your package over your network using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md index 8bce1cbea1..7509c355d2 100644 --- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md index 69d1bc3a0d..9a57aef1fa 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 6c94708d-71bd-44bd-a445-7e6763b374ae title: Use proxy auto-configuration (.pac) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md index 28227c9b71..c98971ddef 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 30b03c2f-e3e5-48d2-9007-e3fd632f3c18 title: Use the Proxy .INS file to specify a proxy server (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md index cb0e99d572..c29f790845 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 1fa1eee3-e97d-41fa-a48c-4a6e0dc8b544 title: Use the Proxy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md index f9c3ebee2a..e0838b0473 100644 --- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Learn how to register an uninstall app for your custom components, using IEAK 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 4da1d408-af4a-4c89-a491-d6f005fd5005 title: Register an uninstall app for custom components using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md index b254a6285e..922be0f879 100644 --- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: manage description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 0f21b320-e879-4a06-8589-aae6fc264666 title: Use the RSoP snap-in to review policy settings (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md index 134182e0d0..0e48aa99c7 100644 --- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 48cfaba5-f4c0-493c-b656-445311b7bc52 title: Use the Search Providers page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md index da06db09c4..fe275274f8 100644 --- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: plan description: Learn about the security features available in Internet Explorer 11 and IEAK 11. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 5b64c9cb-f8da-411a-88e4-fa69dea473e2 title: Security features and IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md index d947f3023d..8da6980597 100644 --- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: cb7cd1df-6a79-42f6-b3a1-8ae467053f82 title: Use the Security and Privacy Settings page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md index 5f16ccd492..a01457ac6c 100644 --- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 19791c44-aaa7-4f37-9faa-85cbdf29f68e title: Use the Security Imports .INS file to import security info (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md index c762eb1d5a..2526c4f33b 100644 --- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md @@ -1,8 +1,9 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: support description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package. -author: eross-msft +author: shortpatti +ms.author: pashort ms.prod: ie11 ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4 title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros) @@ -14,8 +15,8 @@ ms.date: 07/27/2017 # Troubleshoot custom package and IEAK 11 problems While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package. -## I can’t locate some of the wizard pages -The most common reasons you won’t see certain pages is because: +## I am unable to locate some of the wizard pages +The most common reasons you will not see certain pages is because: - **Your licensing agreement with Microsoft.** Your licensing agreement determines whether you install the **Internal** or **External** version of the Internet Explorer Customization Wizard, and there are different features available for each version. For info about which features are available for each version, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). @@ -23,7 +24,7 @@ The most common reasons you won’t see certain pages is because: - **Your choice of features.** Depending on what you selected from the **Feature Selection** page of the wizard, you might not see all of the pages. You need to make sure that the features you want to customize are all checked. For more information, see [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md). -## Internet Explorer Setup fails on employee devices +## Internet Explorer Setup fails on user's devices Various issues can cause problems during Setup, including missing files, trust issues, or URL monikers. You can troubleshoot these issues by reviewing the Setup log file, located at `IE11\_main.log` from the **Windows** folder (typically, `C:\Windows`). The log file covers the entire Setup process from the moment IE11Setup.exe starts until the last .cab file finishes, providing error codes that you can use to help determine the cause of the failure. ### Main.log file codes @@ -61,18 +62,60 @@ To address connection issues (for example, as a result of server problems) where Where `` represents the folder location where you stored IE11setup.exe. -## Employees can’t uninstall IE -If you can’t uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information isn’t on the computer. To fix this issue, you should: +## Users cannot uninstall IE +If you cannot uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information is not on the computer. To fix this issue, you should: 1. Review the uninstall log file, IE11Uninst.log, located in the `C:\Windows` folder. This log file covers the entire uninstallation process, including every file change, every registry change, and any dialog boxes that are shown. 2. Try to manually uninstall IE. Go to the backup folder, `:\Windows\$ie11$`, and run the uninstall file, `Spunist.exe`.   +## The Internet Explorer Customization Wizard 11 does not work with user names that user double-byte character sets +The customization wizard does not work with user names that use double-byte character sets, such as Chinese or Japanese. To fix this, set the **TEMP** and **TMP** environmental variables to a path that does not use these characters (for example, C:\temp). + +1. Open **System Properties**, click the **Advanced** tab, and then click **Environmental Variables**. +2. Click Edit, and then modify the **TEMP** and **TMP** environmental variables to a non-user profile directory.   +## Unicode characters are not supported in IEAK 11 path names +While Unicode characters, such as Emoji, are supported for organization names and other branding items, you must not use Unicode characters in any paths associated with running the Internet Explorer Customization Wizard 11. This includes paths to your IEAK 11 installation and to the storage location for your custom packages after they're built. + +## Internet Explorer branding conflicts when using both Unattend and IEAK 11 to customize Internet Explorer settings +Using both Unattend settings and an IEAK custom package to modify a user's version of Internet Explorer 11 might cause a user to lose personalized settings during an upgrade. For example, many manufacturers configure Internet Explorer using Unattend settings. If a user purchases a laptop, and then signs up for Internet service, their Internet Service Provider (ISP) might provide a version of Internet Explorer that has been branded (for example, with a custom homepage for that ISP) using Internet Explorer Customization Wizard 11. If that user later upgrades to a new version of Internet Explorer, the Unattend settings from the laptop manufacturer will be reapplied, overwriting any settings that the user configured for themselves (such as their homepage). +## IEAK 11 does not correctly apply the Delete all existing items under Favorites, Favorites Bar and Feeds option +The Internet Explorer Customization Wizard 11 does not correctly apply the **Delete all existing items under Favorites**, **Favorites Bar and Feeds** option, available on the **Browsing Options** page. +Selecting to include this feature in your customized Internet Explorer package enables the deletion of existing items in the **Favorites** and **Favorites Bar** areas, but it doesn't enable deletion in the **Feeds** area. In addition, this setting adds a new favorite, titled “Web Slice Gallery” to the **Favorites Bar**. +## F1 does not activate Help on Automatic Version Synchronization page +Pressing the **F1** button on the **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 does not display the **Help** page. Clicking the **Help** button enables you to open the Help system and view information about this page. +## Certificate installation does not work on IEAK 11 +IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe). + +>[!NOTE] +>This applies only when using the External licensing mode of IEAK 11. + +## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11 +When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language. + +>[!NOTE] +>This applies only when using the Internal licensing mode of IEAK 11. + +To work around this issue, run the customization wizard following these steps: +1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11. +2. Click **Next**, and then click **Synchronize** on the Automatic Version Synchronization page. +3. After synchronization is complete, cancel the wizard. +4. Repeat these steps for each platform on the Platform Selection page. + +After performing these steps, you must still do the following each time you synchronize a new language and platform: +1. Open File Explorer to the Program Files\Windows IEAK 11 or Program Files (x86)\Windows IEAK 11 folder. +2. Open the **Policies** folder, and then open the appropriate platform folder. +3. Copy the contents of the matching-language folder into the new language folder. + +After completing these steps, the Additional Settings page matches your wizard’s language. + +## Unable to access feeds stored in a subfolder +Adding feeds using the **Favorites**, **Favorites Bar**, and **Feeds** page of the Internet Explorer 11 Customization Wizard requires that the feeds be stored in a single folder. Creating two levels of folders, and creating the feed in the subfolder, causes the feed to fail. diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md index 788872c6de..b5ba778a93 100644 --- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: 05b09dfa-cf11-408d-92c2-b4ae434a59a7 title: Use the URL .INS file to use an auto-configured proxy server (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md index 5c4fb45863..425f3e2e60 100644 --- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: d3378058-e4f0-4a11-a888-b550af994bfa title: Use the User Experience page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md index 6eafaec05b..b3eaeb6c0f 100644 --- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md +++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: a24a7cdb-681e-4f34-a53c-6d8383c5f977 title: Using Internet Settings (.INS) files with IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md new file mode 100644 index 0000000000..2754da89f4 --- /dev/null +++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md @@ -0,0 +1,66 @@ +--- +ms.localizationpriority: medium +ms.mktglfcycl: support +ms.pagetype: security +description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. +author: shortpatti +ms.author: pashort +ms.manager: elizapo +ms.prod: ie11 +ms.assetid: +title: What IEAK can do for you +ms.sitesec: library +ms.date: 05/10/2018 +--- + +# What IEAK can do for you + +Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. + +IEAK 10 and newer includes the ability to install using one of the following installation modes: + +- Internal + +- External + +## IEAK 11 users +Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. + +IEAK 10 and newer includes the ability to install using one of the following installation modes: +- Internal +- External + +>[!NOTE] +>IEAK 11 works in network environments, with or without Microsoft Active Directory service. + + +### Corporations +IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality. + +Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older). + +### Internet service providers +IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package. + +ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older). + +### Internet content providers +IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use. + +ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older) + +### Independent software vendors +IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar. + +ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older). + +## Additional resources + +- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md) +- [Download IEAK 11](ieak-information-and-downloads.md) +- [IEAK 11 overview](index.md) +- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) +- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md) +- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md) +- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) +- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md index 53df3948f6..aa88edcfee 100644 --- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md @@ -1,8 +1,8 @@ --- -ms.localizationpriority: low +ms.localizationpriority: medium ms.mktglfcycl: deploy description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package. -author: eross-msft +author: shortpatti ms.prod: ie11 ms.assetid: aaaac88a-2022-4d0b-893c-b2404b45cabc title: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md index 303df95ed6..c2dbda0086 100644 --- a/browsers/internet-explorer/index.md +++ b/browsers/internet-explorer/index.md @@ -1,12 +1,12 @@ --- ms.mktglfcycl: deploy description: The landing page for IE11 that lets you access the documentation. -author: eross-msft +author: shortpatti ms.prod: IE11 title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros) assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0 ms.sitesec: library -ms.localizationpriority: low +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 87ef48bb20..e1fa685f30 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,10 +1,17 @@ # [Microsoft HoloLens](index.md) +## [What's new in Microsoft HoloLens](hololens-whats-new.md) +## [Insider preview for Microsoft HoloLens](hololens-insider.md) ## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md) ## [Set up HoloLens](hololens-setup.md) ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) +## [Manage updates to HoloLens](hololens-updates.md) ## [Set up HoloLens in kiosk mode](hololens-kiosk.md) +## [Share HoloLens with multiple people](hololens-multiple-users.md) ## [Configure HoloLens using a provisioning package](hololens-provisioning.md) ## [Install apps on HoloLens](hololens-install-apps.md) +## [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) +### [Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) +### [Microsoft Layout app](hololens-microsoft-layout-app.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md) \ No newline at end of file diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 20d0866be8..95f7f92bed 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -2,19 +2,50 @@ title: Change history for Microsoft HoloLens documentation description: This topic lists new and updated topics for HoloLens. keywords: change history -ms.prod: w10 +ms.prod: hololens ms.mktglfcycl: manage ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium -ms.date: 02/02/2018 +ms.date: 07/27/2018 --- # Change history for Microsoft HoloLens documentation This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +## July 2018 + +New or changed topic | Description +--- | --- +[Insider preview for Microsoft HoloLens](hololens-insider.md) | New + +## June 2018 + +New or changed topic | Description +--- | --- +[HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md#pin) | Added instructions for creating a sign-in PIN. + +## May 2018 + +New or changed topic | Description +--- | --- +[Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | New +[Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) | New +[Microsoft Layout app](hololens-microsoft-layout-app.md) | New +[Set up HoloLens in kiosk mode](hololens-kiosk.md) | Added instructions for setting up a guest account for kiosk mode. + +## Windows 10 Holographic for Business, version 1803 + +The topics in this library have been updated for Windows 10 Holographic for Business, version 1803. The following new topics have been added: + +- [What's new in Microsoft HoloLens](hololens-whats-new.md) +- [Manage updates to HoloLens](hololens-updates.md) +- [Share HoloLens with multiple people](hololens-multiple-users.md) + + ## February 2018 New or changed topic | Description diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index aef7ea7f69..8210e1f2fb 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -1,11 +1,12 @@ --- title: Enable Bitlocker encryption for HoloLens (HoloLens) description: Enable Bitlocker device encryption to protect files stored on the HoloLens -ms.prod: w10 +ms.prod: hololens ms.mktglfcycl: manage -ms.pagetype: hololens, devices ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium ms.date: 12/20/2017 --- @@ -55,7 +56,7 @@ Provisioning packages are files created by the Windows Configuration Designer to ### Create a provisioning package that upgrades the Windows Holographic edition -1. [Create a provisioning package for HoloLens.](hololens-provisioning.md#create-a-provisioning-package-for-hololens) +1. [Create a provisioning package for HoloLens.](hololens-provisioning.md) 2. Go to **Runtime settings** > **Policies** > **Security**, and select **RequireDeviceEncryption**. diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index 1412357e31..5f79d72c2e 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -1,18 +1,19 @@ --- title: Enroll HoloLens in MDM (HoloLens) description: Enroll HoloLens in mobile device management (MDM) for easier management of multiple devices. -ms.prod: w10 +ms.prod: hololens ms.mktglfcycl: manage -ms.pagetype: hololens, devices ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 --- # Enroll HoloLens in MDM -You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business), the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens), and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies). +You can manage multiple Microsoft HoloLens devices simultaneously using solutions like [Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business). You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business), the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens), and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies). >[!NOTE] >Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md). diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md new file mode 100644 index 0000000000..05e12d5cce --- /dev/null +++ b/devices/hololens/hololens-insider.md @@ -0,0 +1,176 @@ +--- +title: Insider preview for Microsoft HoloLens (HoloLens) +description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens. +ms.prod: hololens +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 07/27/2018 +--- + +# Insider preview for Microsoft HoloLens + +Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. + +>Latest insider version: 10.0.17720.1000 + + +## How do I install the Insider builds? + +On a device running the Windows 10 April 2018 Update, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. + +Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. + +Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. + +## New features for HoloLens + +The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes). + +### For everyone + + +Feature | Details | Instructions +--- | --- | --- +Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | To start recording, select **Start > Video**. To stop recording, select **Start > Stop video**. +Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter | On **Start**, select **Connect**. Select the device you want to project to. +New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. | You’ll now see notifications from apps that provide them. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). +HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | When you’re using an immersive app, input text, select a file from the file picker, or interact with dialogs without leaving the app. +Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | Adjust the device volume using the volume up/down buttons located on the right arm of the HoloLens. Use the visual display to track the volume level. +New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. | Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. +Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. | Capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge). Select a nearby Windows device to share with. +Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. | In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. + +### For developers + +- Support for Holographic [Camera Capture UI API](https://docs.microsoft.com/windows/uwp/audio-video-camera/capture-photos-and-video-with-cameracaptureui), which will let developers expose a way for users to seamlessly invoke camera or video capture from within their applications. For example, users can now capture and insert photo or video content directly within apps like Word. +- Mixed Reality Capture has been improved to exclude hidden mesh from captures, which means videos captures by apps will no longer contain black corners around the content. + +### For commercial customers + + +Feature | Details | Instructions +--- | --- | --- +Enable post-setup provisioning | Can now apply a runtime provisioning package at any time using **Settings**. | On your PC:

1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
3. Drag and drop the provisioning package to the Documents folder on the HoloLens.

On your HoloLens:

1. Go to **Settings > Accounts > Access work or school**.
2. In **Related Settings**, select **Add or remove a provisioning package**.
3. On the next page, select **Add a package** to launch the file picker and select your provisioning package.
**Note:** if the folder is empty, make sure you select **This Device** and select **Documents**.
After your package has been applied, it will show in the list of Installed packages. To view package details or to remove the package from the device, select the listed package. +Assigned access with Azure AD groups | Flexibility to use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | Prepare XML file to configure Assigned Access on PC:

1. In a text editor, open [the provided file AssignedAccessHoloLensConfiguration_AzureADGroup.xml](#xml).
2. Change the group ID to one available in your Azure AD tenant. You can find the group ID of an Azure Active Directory Group by either :
- following the steps at [Azure Active Directory version 2 cmdlets for group management](https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets),
OR
- in the Azure portal, with the steps at [Manage the settings for a group in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-settings-azure-portal).

**Note:** The sample configures the following apps: Skype, Learning, Feedback Hub, Flow, Camera, and Calibration.

Create provisioning package with WCD:

1. On a PC, follow the steps at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md) to create a provisioning package.
2. Ensure that you include the license file in **Set up device**.
3. Select **Switch to advanced editor** (bottom left), and **Yes** for warning prompt.
4. Expand the runtime settings selection in the **Available customizations** panel and select **AssignedAccess > MultiAppAssignedAccessSettings**.
5. In the middle panel, you should now see the setting displayed with documentation in the panel below. Browse to the XML you modified for Assigned Access.
6. On the **Export** menu, select **Provisioning package**.
**Warning:** If you encrypt the provisioning package, provisioning the HoloLens device will fail.
7. Select **Next** to specify the output location where you want the provisioning package to go once it's built.
8. Select **Next**, and then select **Build** to start building the package.
9. When the build completes, select **Finish**.

Apply the package to HoloLens:

1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC.
2. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
3. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the fit page.
4. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
5. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.

Enable assigned access on HoloLens:

1. After applying the provisioning package, during the **Account Setup** flows in OOBE, select **My work or school owns this** to set up your device with an Azure AD account.
**Note:** This account must not be in the group chosen for Assigned Access.
2. Once you reach the Shell, ensure the Skype app is installed either via your MDM environment or from the Store.
3. After the Skype app is installed, sign out.
4. On the sign-in screen, select the **Other User** option and enter an Azure AD account email address that belongs to the group chosen for Assigned Access. Then enter the password to sign in. You should now see this user with only the apps configured in the Assigned Access profile. +PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. +Sign in with Web Cred Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. Look for additional web sign-in methods coming in the future. | From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  +Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view HoloLens device serial number. +Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view and set your HoloLens device name (rename). + +### For international customers + + +Feature | Details | Instructions +--- | --- | --- +Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. | See below. + +#### Installing the Chinese or Japanese versions of the Insider builds + +In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). + +>[!IMPORTANT] +>Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. + +1. On a retail HoloLens device, [opt in to Insider Preview builds](#get-insider) to prepare your device for the RS5 Preview. +2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). +3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololenspreviewdownload-ch) or [Japanese](https://aka.ms/hololenspreviewdownload-jp). +4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. +5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  +6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. +7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) +8. Select **Install software** and follow the instructions to finish installing. +9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. + +When you’re done with setup, go to **Settings -> Update & Security -> Windows Insider Program** and check that you’re configured to receive the latest preview builds. The Chinese/Japanese version of HoloLens will be kept up-to-date with the latest preview builds via the Windows Insider Program the same way the English version is. + +## Note for language support + +- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. +- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English). + +## Note for developers + +You are welcome and encouraged to try developing your applications using this build of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with this latest build of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. + +## Provide feedback and report issues + +Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reality/give-us-feedback) on your HoloLens or Windows 10 PC to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way. + +>[!NOTE] +>Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). + + +## AssignedAccessHoloLensConfiguration_AzureADGroup.xml + +Copy this sample XML to use for the [**Assigned access with Azure AD groups** feature](#for-commercial-customers). + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + +``` + diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md index badec3873c..3de34452cf 100644 --- a/devices/hololens/hololens-install-apps.md +++ b/devices/hololens/hololens-install-apps.md @@ -1,11 +1,12 @@ --- title: Install apps on HoloLens (HoloLens) description: The recommended way to install apps on HoloLens is to use Microsoft Store for Business. -ms.prod: w10 +ms.prod: hololens ms.mktglfcycl: manage -ms.pagetype: hololens, devices ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium ms.date: 12/20/2017 --- diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 14ede04e4d..9b54f8a335 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -1,20 +1,186 @@ --- title: Set up HoloLens in kiosk mode (HoloLens) -description: Kiosk mode limits the user's ability to launch new apps or change the running app. -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: hololens, devices +description: Use a kiosk configuration to lock down the apps on HoloLens. +ms.prod: hololens ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 05/22/2018 --- # Set up HoloLens in kiosk mode -Kiosk mode limits the user's ability to launch new apps or change the running app. When kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. +In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#guest) + +When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. + +Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. + +The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. + +>[!WARNING] +>The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. +> +>Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. + +For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk: +- You can use [Microsoft Intune or other mobile device management (MDM) service](#intune-kiosk) to configure single-app and multi-app kiosks. +- You can [use a provisioning package](#ppkg-kiosk) to configure single-app and multi-app kiosks. +- You can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device. + +For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks. + + +## Start layout for HoloLens + +If you use [MDM, Microsoft Intune](#intune-kiosk), or a [provisioning package](#ppkg-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. + +>[!NOTE] +>Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. + + +### Start layout file for MDM (Intune and others) + +Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). + +>[!NOTE] +>If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). + +```xml + + + + + + + + + +``` + +### Start layout for a provisioning package + +You will [create an XML file](#ppkg-kiosk) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file. + +```xml + + + + + + + + + + + + + + + ]]> + + +``` + + +## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803) + +For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings). + +For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file. + + + + +## Setup kiosk mode using a provisioning package (Windows 10, version 1803) + +Process: +1. [Create an XML file that defines the kiosk configuration.](#create-xml-file) +2. [Add the XML file to a provisioning package.](#add-xml) +3. [Apply the provisioning package to HoloLens.](#apply-ppkg) + + +### Create a kiosk configuration XML file + +Follow [the instructions for creating a kiosk configuration XML file for desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package), with the following exceptions: + +- Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens. +- Use the [placeholder Start XML](#start-kiosk) for HoloLens. + + +#### Add guest access to the kiosk configuration (optional) + +In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out. + +Use the following snippet in your kiosk configuration XML to enable the **Guest** account: + +```xml + + + + + + +``` + + + +### Add the kiosk configuration XML file to a provisioning package + +1. Open [Windows Configuration Designer](https://www.microsoft.com/store/apps/9nblggh4tx22). +2. Choose **Advanced provisioning**. +3. Name your project, and click **Next**. +4. Choose **Windows 10 Holographic** and click **Next**. +5. Select **Finish**. The workspace for your package opens. +6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**. +7. In the center pane, click **Browse** to locate and select the kiosk configuration XML file that you created. + + ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) + +8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. +8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. +8. On the **File** menu, select **Save.** +9. On the **Export** menu, select **Provisioning package**. +10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +11. On the **Provisioning package security** page, do not select **Enable package encryption** or provisioning will fail on HoloLens. You can choose to enable package signing. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. + +12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. + + + + +### Apply the provisioning package to HoloLens + +1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). + +3. HoloLens will show up as a device in File Explorer on the PC. + +4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage. + +5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page. + +6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package. + +7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE. + + + +## Set up kiosk mode using the Windows Device Portal (Windows 10, version 1607 and version 1803) 1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. @@ -37,3 +203,17 @@ Kiosk mode limits the user's ability to launch new apps or change the running ap 5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**. + +## Kiosk app recommendations + +- You cannot select Microsoft Edge, Microsoft Store, or the Shell app as a kiosk app. +- We recommend that you do **not** select the Settings app and the File Explorer app as a kiosk app. +- You can select Cortana as a kiosk app. +- To enable photo or video capture, the HoloCamera app must be enabled as a kiosk app. + +## More information + + + +Watch how to configure a kiosk in a provisioning package. +>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] \ No newline at end of file diff --git a/devices/hololens/hololens-microsoft-layout-app.md b/devices/hololens/hololens-microsoft-layout-app.md new file mode 100644 index 0000000000..4f5540e858 --- /dev/null +++ b/devices/hololens/hololens-microsoft-layout-app.md @@ -0,0 +1,73 @@ +--- +title: Microsoft Layout +description: How to get and deploy the Microsoft Layout app throughout your organization +ms.prod: hololens +ms.sitesec: library +author: alhopper-msft +ms.author: alhopper +ms.topic: article +ms.localizationpriority: medium +ms.date: 05/21/2018 +--- +# Microsoft Layout + +Bring designs from concept to completion with confidence and speed. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical space or virtual reality and edit with stakeholders in real time. With Microsoft Layout, see ideas in context, saving valuable time and money. + +## Device options and technical requirements + +Below are the device options, and technical requirements, to use and deploy Microsoft Layout throughout your organization. + +### Device options + +Microsoft Layout works with a HoloLens, or with a Windows Mixed Reality headset with motion controllers. + +#### HoloLens requirements + +| OS requirements | Details | +|:----------------------------------|:-----------------------------------------------------------| +| Build 10.0.17134.77 or above | See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens) for instructions on upgrading to this build. | + +#### Windows Mixed Reality headset requirements + +| Requirements | Details | +|:----------------------------------------------|:-----------------------------------------------------------| +| Windows 10 PC with build 16299.0 or higher | The Windows 10 PC hardware must be able to support the headset. See [Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) for specific hardware requirements. We recommend following the **Windows Mixed Reality Ultra** hardware guidelines. | +| Motion controllers | Motion controllers are hardware accessories that allow users to take action in mixed reality. See [Motion controllers](https://docs.microsoft.com/en-us/windows/mixed-reality/motion-controllers) to learn more. | + +### Technical requirements + +Have the following technical requirements in place to start using Microsoft Layout. + +| Requirement | Details | Learn more | +|:----------------------------------|:------------------|:------------------| +| Azure Active Directory (Azure AD) | Required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can also install Layout on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) | +| Network connectivity | Internet access is required to download the app, and utilize all of its features. There are no bandwidth requirements. | | +| Apps for sharing | Video calling or screen sharing requires a separate app, such as Microsoft Remote Assist on HoloLens, or Skype or Skype for Business on Windows Mixed Reality headsets.

A Windows 10 PC that meets the Windows Mixed Reality Ultra specifications is also required for video calling or screen sharing when using Layout with a Windows Mixed Reality headset. | [Remote Assist](hololens-microsoft-remote-assist-app.md)

[Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) | +| Import Tool for Microsoft Layout | The Import Tool for Microsoft Layout is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, so they can be viewed and edited from the HoloLens or mixed reality headset. The Import Tool is also required to transfer Visio space dimensions to the HoloLens or Windows Mixed Reality headset. | [Import Tool for Microsoft Layout](#get-and-deploy-the-import-tool-for-microsoft-layout) | + +## Get and deploy Microsoft Layout + +Microsoft Layout is available from the Microsoft Store for Business for free for a limited time: + +1. Go to the [Microsoft Layout](https://businessstore.microsoft.com/en-us/store/details/app/9NSJN53K3GFJ) app in the Microsoft Store for Business. +1. Click **Get the app**. Microsoft Layout is added to the **Products and Services** tab for your private store. +1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps. + +For a limited time, users can also [Get Microsoft Layout from the Microsoft Store](https://www.microsoft.com/store/productId/9NSJN53K3GFJ) for free. + +### Get and deploy the Import Tool for Microsoft Layout + +The **Import Tool for Microsoft Layout** is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, for viewing and editing on Microsoft HoloLens or a Windows Mixed Reality headset. + +The companion app is available in both the Microsoft Store for Business, and the Microsoft Store, for free for a limited time: + +* [Get the Microsoft Layout Import Tool](https://businessstore.microsoft.com/en-us/store/details/app/9N88Q3RXPLP0) from the Microsoft Store for Business. See [Distribute apps to your employees from Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business) for instructions on using the Microsoft Store for Business, and/or MDM, to deploy Windows 10 apps throughout your organization. +* Alternately, have your users [Get the Microsoft Layout Import Tool](https://www.microsoft.com/store/productId/9N88Q3RXPLP0) from the Microsoft Store to install the app on their Windows 10 PC. + +## Use Microsoft Layout + +For guidance on using the features of the Microsoft Layout app, please see [Set up and use Microsoft Layout](https://support.microsoft.com/help/4294437). + +## Questions and support + +You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). \ No newline at end of file diff --git a/devices/hololens/hololens-microsoft-remote-assist-app.md b/devices/hololens/hololens-microsoft-remote-assist-app.md new file mode 100644 index 0000000000..221c650ada --- /dev/null +++ b/devices/hololens/hololens-microsoft-remote-assist-app.md @@ -0,0 +1,64 @@ +--- +title: Microsoft Remote Assist +description: How to get and deploy the Microsoft Remote Assist app throughout your organization +ms.prod: hololens +ms.sitesec: library +author: alhopper-msft +ms.author: alhopper +ms.topic: article +ms.localizationpriority: medium +ms.date: 05/22/2018 +--- +# Microsoft Remote Assist + +Collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. Firstline workers can share what they see with any expert on Microsoft Teams, while staying hands on to solve problems and complete tasks together, faster. Backed by enterprise-level security, Microsoft Remote Assist enables communication with peace of mind. + +## Technical requirements + +Below are the technical requirements to deploy and use Microsoft Remote Assist throughout your organization. + +### Device requirements + +| Device | OS requirements | Details | +|:---------------------------|:----------------------------------|:-----------------------------------------------------------| +| HoloLens | Build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. | +| Windows 10 PC (optional) | Any Windows 10 build | A Windows 10 PC can collaborate with the HoloLens using Microsoft Teams. | + +> [!Note] +> HoloLens build 10.0.14393.0 is the minimum that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available. + +### Licensing & product requirements + +| Product required | Details | Learn more | +|:----------------------------------|:------------------|:------------------| +| Azure Active Directory (Azure AD) | Required to log users into the Remote Assist app through Microsoft Teams. Also required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can alternately install Remote Assist on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) | +| Microsoft Teams | Microsoft Teams facilitates communication in Remote Assist. Microsoft Teams must be installed on any device that will make calls to the HoloLens. | [Overview of Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/teams-overview) | +| Microsoft Office 365 | Because Microsoft Teams is part of Office 365, each user who will make calls from their PC/phone to the HoloLens will need an Office 365 license. | [Office 365 licensing for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/office-365-licensing) | + +### Network requirements + +1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your company’s network bandwidth, follow these steps: + + 1. Have a Teams user video call another Teams user. + 2. Add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user. + 3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time. + +See [Preparing your organization's network for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/prepare-network) to learn more. + +## Get and deploy Microsoft Remote Assist + +Microsoft Remote Assist is available from the Microsoft Store for Business for free for a limited time: + +1. Go to the [Microsoft Remote Assist](https://businessstore.microsoft.com/en-us/store/details/app/9PPJSDMD680S) app in the Microsoft Store for Business. +1. Click **Get the app**. Microsoft Remote Assist is added to the **Products and Services** tab for your private store. +1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps. + +For a limited time, users can also [Get Microsoft Remote Assist from the Microsoft Store](https://www.microsoft.com/store/productId/9PPJSDMD680S) for free. + +## Use Microsoft Remote Assist + +For guidance on using the features of the Microsoft Remote Assist app, please see [Set up and use Microsoft Remote Assist](https://support.microsoft.com/en-us/help/4294812). + +## Questions and support + +You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md new file mode 100644 index 0000000000..f5bbdf30af --- /dev/null +++ b/devices/hololens/hololens-multiple-users.md @@ -0,0 +1,31 @@ +--- +title: Share HoloLens with multiple people (HoloLens) +description: You can configure HoloLens to be shared by multiple Azure Active Directory accounts. +ms.prod: hololens +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 04/30/2018 +--- + +# Share HoloLens with multiple people + + +A HoloLens device can be shared by multiple Azure Active Directory (Azure AD) accounts, each with their own user settings and user data on the device. + +**Prerequisite**: The HoloLens device must be running Windows 10, version 1803, and be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md). + +During setup, you must select **My work or school owns it** and sign in with an Azure AD account. After setup, ensure that **Other People** appears in **Settings** > **Accounts**. + +Other people can use the HoloLens device by signing in with their Azure AD account credentials. To switch users, press the power button once to go to standby and then press the power button again to return to the lock screen, or select the user tile on the upper right of the pins panel to sign out the current user. + +>[!NOTE] +>Each subsequent user will need to perform [Calibration](https://developer.microsoft.com/windows/mixed-reality/calibration) in order to set their correct interpupillary distance (PD) for the device while signed in. + +To see users on the device or to remove a user from the device, go to **Settings** > **Accounts** > **Other users**. + + + + diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index eae5a880c2..c1a90edadb 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -1,36 +1,92 @@ --- title: Configure HoloLens using a provisioning package (HoloLens) description: Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: hololens, devices +ms.prod: hololens ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium -ms.date: 11/29/2017 +ms.date: 04/30/2018 --- -# Configure HoloLens using a provisioning package test +# Configure HoloLens using a provisioning package -Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Windows Configuration Designer, a tool for configuring images and runtime settings which are then built into provisioning packages. + + +[Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages. Some of the HoloLens configurations that you can apply in a provisioning package: - Upgrade to Windows Holographic for Business - Set up a local account - Set up a Wi-Fi connection -- Apply certificatess to the device +- Apply certificates to the device -To install Windows Configuration Designer and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) or install [Windows Configuration Designer](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store. - -When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration Designer** from the **Select the features you want to install** dialog box. - -![Choose Configuration Designer](images/adk-install.png) - -> [!NOTE] -> In previous versions of the Windows 10 ADK, you had to install additional features for Windows Configuration Designer to run. Starting in version 1607, you can install Windows Configuration Designer without other ADK features. +To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. -## Create a provisioning package for HoloLens + + +## Create a provisioning package for HoloLens using the HoloLens wizard + +The HoloLens wizard helps you configure the following settings in a provisioning package: + +- Upgrade to the enterprise edition + + >[!NOTE] + >Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md). + +- Configure the HoloLens first experience (OOBE) +- Configure Wi-Fi network +- Enroll device in Azure Active Directory or create a local account +- Add certificates +- Enable Developer Mode + +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. + +Provisioning packages can include management instructions and policies, customization of network connections and policies, and more. + +> [!TIP] +> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. +> +>![open advanced editor](images/icd-simple-edit.png) + +### Create the provisioning package + +Use the Windows Configuration Designer tool to create a provisioning package. + +1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). + +2. Click **Provision HoloLens devices**. + + ![ICD start options](images/icd-create-options-1703.png) + +3. Name your project and click **Finish**. + +4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning will walk you through the following steps. + +> [!IMPORTANT] +> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +### Configure settings + + + + + + + + + +
![step one](images/one.png)![set up device](images/set-up-device.png)

Browse to and select the enterprise license file to upgrade the HoloLens edition.

You can also toggle **Yes** or **No** to hide parts of the first experience.

Select a region and timezone in which the device will be used. 		![Select enterprise licence file and configure OOBE](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details-desktop.png)
![step three](images/three.png) ![account management](images/account-management.png)

You can enroll the device in Azure Active Directory, or create a local account on the device

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local account, select that option and enter a user name and password.

**Important:** (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Azure AD or create a local account](images/account-management-details.png)
![step four](images/four.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![Developer Setup](images/developer-setup.png)

Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)		![Enable Developer Mode](images/developer-setup-details.png)
![finish](images/finish.png)

Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.		![Protect your package](images/finish-details.png)
+ +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + + **Next step**: [How to apply a provisioning package](#apply) + + +## Create a provisioning package for HoloLens using advanced provisioning >[!NOTE] >Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md). @@ -47,7 +103,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D 7. Expand **Runtime settings** and customize the package with any of the settings [described below](#what-you-can-configure). >[!IMPORTANT] - >If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery). + >(For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery). 8. On the **File** menu, click **Save**. @@ -80,12 +136,12 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D 10. When the build completes, click **Finish**. - + ## Apply a provisioning package to HoloLens 1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). -2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. +2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. (This step isn't needed in Windows 10, version 1803.) 3. HoloLens will show up as a device in File Explorer on the PC. @@ -110,7 +166,6 @@ In Windows Configuration Designer, when you create a provisioning package for Wi | Setting | Description | | --- | --- | -| **Accounts** | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported.

**IMPORTANT**
If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery). | | **Certificates** | Deploy a certificate to HoloLens. | | **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. | | **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md) | diff --git a/devices/hololens/hololens-public-preview-apps.md b/devices/hololens/hololens-public-preview-apps.md new file mode 100644 index 0000000000..e3a966f008 --- /dev/null +++ b/devices/hololens/hololens-public-preview-apps.md @@ -0,0 +1,31 @@ +--- +title: Preview new mixed reality apps for HoloLens +description: Here's how to download and distribute new mixed reality apps for HoloLens, free for a limited time during public preview +ms.prod: hololens +ms.sitesec: library +author: alhopper +ms.author: alhopper +ms.topic: article +ms.localizationpriority: medium +ms.date: 05/21/2018 +--- +# Preview new mixed reality apps for HoloLens + +Microsoft has just announced two new mixed reality apps coming to HoloLens: Microsoft Remote Assist and Microsoft Layout. + +The gap between the real and digital world limits our ability to take advantage of new technologies and transform how we work, learn, create, communicate, and live. **Mixed reality is here to close that gap**. + +Mixed reality has the potential to help customers and businesses across the globe do things that until now, have never been possible. Mixed reality helps businesses and employees complete crucial tasks faster, safer, more efficiently, and create new ways to connect to customers and partners. + +Ready to get started? Check out the links below to learn more about how you can download and deploy Microsoft's new commercial-focused mixed reality apps. + +## In this section + +| Topic | Description | +| --- | --- | +| [Microsoft Remote Assist](hololens-microsoft-remote-assist-app.md) | Microsoft Remote Assist enables collaboration in mixed reality to solve problems faster. Firstline workers can collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. They can share what they see with an expert on Microsoft Teams, while staying hands-on to solve problems and complete tasks together, faster. | +| [Microsoft Layout](hololens-microsoft-layout-app.md ) | Bring designs from concept to completion with confidence and speed using Microsoft Layout. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical or virtual space and edit in real time. With Microsoft Layout, you can see ideas in context, saving valuable time and money. | + +## Questions and support + +You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). \ No newline at end of file diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index 77ad68eb9e..402cb33a40 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -1,13 +1,13 @@ --- title: HoloLens in the enterprise requirements and FAQ (HoloLens) description: Requirements and FAQ for general use, Wi-Fi, and device management for HoloLens in the enterprise. -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: hololens, devices +ms.prod: hololens ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 06/04/2018 --- # Microsoft HoloLens in the enterprise: requirements and FAQ @@ -45,17 +45,25 @@ When you develop for HoloLens, there are [system requirements and tools](https:/ ## FAQ for HoloLens + #### Is Windows Hello for Business supported on HoloLens? -Hello for Business (using a PIN to sign in) is supported for HoloLens. It must be configured [using MDM](hololens-enroll-mdm.md). +Windows Hello for Business (using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens: + +1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md). +2. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello)) +3. On HoloLens, the user can then set up a PIN from **Settings** > **Sign-in Options** > **Add PIN**. + +>[!NOTE] +>Users who sign in with a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview). #### Does the type of account change the sign-in behavior? Yes, the behavior for the type of account impacts the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type. - Microsoft account: signs in automatically -- Local account: always asks for password, not configurable by Settings -- Azure AD: asks for password by default; configurable by Settings to no longer ask for password. +- Local account: always asks for password, not configurable in **Settings** +- Azure AD: asks for password by default; configurable by **Settings** to no longer ask for password. >[!NOTE] >Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is respected only when the device goes into StandBy. diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md index 3fa1130923..6912c956f4 100644 --- a/devices/hololens/hololens-setup.md +++ b/devices/hololens/hololens-setup.md @@ -1,13 +1,13 @@ --- title: Set up HoloLens (HoloLens) description: The first time you set up HoloLens, you'll need a Wi-Fi network and either a Microsoft or Azure Active Directory account. -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: hololens, devices +ms.prod: hololens ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 08/02/2018 --- # Set up HoloLens @@ -19,7 +19,6 @@ Before you get started setting up your HoloLens, make sure you have a Wi-Fi netw The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. You need to connect HoloLens to a Wi-Fi network with Internet connectivity so that the user account can be authenticated. - It can be an open Wi-Fi or password-protected Wi-Fi network. -- The Wi-Fi network cannot require you to navigate to a webpage to connect. - The Wi-Fi network cannot require certificates to connect. - The Wi-Fi network does not need to provide access to enterprise resources or intranet sites. @@ -31,7 +30,12 @@ The HoloLens setup process combines a quick tutorial on using HoloLens with the 2. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens. 3. Next, you'll be guided through connecting to a Wi-Fi network. 4. After HoloLens connects to the Wi-Fi network, you select between **My work or school owns it** and **I own it**. - - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app). + - When you choose **My work or school owns it**, you sign in with an Azure AD account. + + >[!NOTE] + >[To share your HoloLens device with multiple Azure AD accounts](hololens-multiple-users.md), the HoloLens device must be running Windows 10, version 1803, and be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md). + + If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app). 1. Enter your organizational account. 2. Accept privacy statement. 3. Sign in using your Azure AD credentials. This may redirect to your organization's sign-in page. diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md new file mode 100644 index 0000000000..e10552862b --- /dev/null +++ b/devices/hololens/hololens-updates.md @@ -0,0 +1,49 @@ +--- +title: Manage updates to HoloLens (HoloLens) +description: Administrators can use mobile device management to manage updates to HoloLens devices. +ms.prod: hololens +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 04/30/2018 +--- + +# Manage updates to HoloLens + +>**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).** + +Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). + +>[!NOTE] +>HoloLens devices must be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md) to manage updates. + + +Mobile device management (MDM) providers use the [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to enable update management. + +The Update policies supported for HoloLens are: + +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) +- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) +- [Update/RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) +- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) + + + +Typically, devices access Windows Update directly for updates. You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead: + +- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) +- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) +- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) + +In Microsoft Intune, use [a custom profile](https://docs.microsoft.com/intune/custom-settings-windows-holographic) to configure devices to get updates from WSUS. + + + + + +## Related topics + +- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) \ No newline at end of file diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md index 1ac6bbeed2..f7da9a892b 100644 --- a/devices/hololens/hololens-upgrade-enterprise.md +++ b/devices/hololens/hololens-upgrade-enterprise.md @@ -1,23 +1,25 @@ --- title: Unlock Windows Holographic for Business features (HoloLens) description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: hololens, devices +ms.prod: hololens ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium -ms.date: 02/02/2018 +ms.date: 07/09/2018 --- # Unlock Windows Holographic for Business features + + Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://docs.microsoft.com/windows/mixed-reality/commercial-features), which provides extra features designed for business. When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package). >[!TIP] ->You can tell that the HoloLens has been upgraded to the business edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic for Business. +>In Windows 10, version 1803, you can tell that the HoloLens has been upgraded to the business edition in **Settings** > **System**. @@ -37,7 +39,7 @@ Provisioning packages are files created by the Windows Configuration Designer to ### Create a provisioning package that upgrades the Windows Holographic edition -1. [Create a provisioning package for HoloLens.](hololens-provisioning.md#create-a-provisioning-package-for-hololens) +1. [Create a provisioning package for HoloLens.](hololens-provisioning.md) 2. Go to **Runtime settings** > **EditionUpgrade**, and select **EditionUpgradeWithLicense**. @@ -79,11 +81,10 @@ Provisioning packages are files created by the Windows Configuration Designer to ### Apply the provisioning package to HoloLens -1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of the initial setup experience (the first page with the blue box). +1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of the initial setup experience (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC. -2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. - -3. HoloLens will show up as a device in File Explorer on the PC. + >[!NOTE] + >If the HoloLens device is running Windows 10, version 1607 or earlier, briefly press and release the **Volume Down** and **Power** buttons simultaneously to open File Explorer. 4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage. @@ -93,8 +94,7 @@ Provisioning packages are files created by the Windows Configuration Designer to 7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup. ->[!NOTE] ->If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. + diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md new file mode 100644 index 0000000000..75556a83db --- /dev/null +++ b/devices/hololens/hololens-whats-new.md @@ -0,0 +1,54 @@ +--- +title: What's new in Microsoft HoloLens (HoloLens) +description: Windows Holographic for Business gets new features in Windows 10, version 1803. +ms.prod: hololens +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 04/30/2018 +--- + +# What's new in Microsoft HoloLens + + + +Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: + +- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md). + +- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). + +- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#wizard). + + ![Provisioning HoloLens devices](images/provision-hololens-devices.png) + +- When you create a local account in a provisioning package, the password no longer expires every 42 days. + +- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes. + +- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens. + +- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. + +- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. + +- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts. + +- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting. + +- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly. + +- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report. + + + + + +## Additional resources + +- [Reset or recover your HoloLens](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens) +- [Restart, rest, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens) +- [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business) + diff --git a/devices/hololens/images/account-management-details.png b/devices/hololens/images/account-management-details.png new file mode 100644 index 0000000000..4094dabd85 Binary files /dev/null and b/devices/hololens/images/account-management-details.png differ diff --git a/devices/hololens/images/account-management.PNG b/devices/hololens/images/account-management.PNG new file mode 100644 index 0000000000..34165dfcd6 Binary files /dev/null and b/devices/hololens/images/account-management.PNG differ diff --git a/devices/hololens/images/add-certificates-details.PNG b/devices/hololens/images/add-certificates-details.PNG new file mode 100644 index 0000000000..966a826a46 Binary files /dev/null and b/devices/hololens/images/add-certificates-details.PNG differ diff --git a/devices/hololens/images/add-certificates.PNG b/devices/hololens/images/add-certificates.PNG new file mode 100644 index 0000000000..24cb605d1c Binary files /dev/null and b/devices/hololens/images/add-certificates.PNG differ diff --git a/devices/hololens/images/backicon.png b/devices/hololens/images/backicon.png new file mode 100644 index 0000000000..3007e448b1 Binary files /dev/null and b/devices/hololens/images/backicon.png differ diff --git a/devices/hololens/images/check_blu.png b/devices/hololens/images/check_blu.png new file mode 100644 index 0000000000..d5c703760f Binary files /dev/null and b/devices/hololens/images/check_blu.png differ diff --git a/devices/hololens/images/check_grn.png b/devices/hololens/images/check_grn.png new file mode 100644 index 0000000000..f9f04cd6bd Binary files /dev/null and b/devices/hololens/images/check_grn.png differ diff --git a/devices/hololens/images/checklistbox.gif b/devices/hololens/images/checklistbox.gif new file mode 100644 index 0000000000..cbcf4a4f11 Binary files /dev/null and b/devices/hololens/images/checklistbox.gif differ diff --git a/devices/hololens/images/checklistdone.png b/devices/hololens/images/checklistdone.png new file mode 100644 index 0000000000..7e53f74d0e Binary files /dev/null and b/devices/hololens/images/checklistdone.png differ diff --git a/devices/hololens/images/checkmark.png b/devices/hololens/images/checkmark.png new file mode 100644 index 0000000000..f9f04cd6bd Binary files /dev/null and b/devices/hololens/images/checkmark.png differ diff --git a/devices/hololens/images/crossmark.png b/devices/hololens/images/crossmark.png new file mode 100644 index 0000000000..69432ff71c Binary files /dev/null and b/devices/hololens/images/crossmark.png differ diff --git a/devices/hololens/images/developer-setup-details.png b/devices/hololens/images/developer-setup-details.png new file mode 100644 index 0000000000..0a32af7ba7 Binary files /dev/null and b/devices/hololens/images/developer-setup-details.png differ diff --git a/devices/hololens/images/developer-setup.png b/devices/hololens/images/developer-setup.png new file mode 100644 index 0000000000..826fda5f25 Binary files /dev/null and b/devices/hololens/images/developer-setup.png differ diff --git a/devices/hololens/images/doneicon.png b/devices/hololens/images/doneicon.png new file mode 100644 index 0000000000..d80389f35b Binary files /dev/null and b/devices/hololens/images/doneicon.png differ diff --git a/devices/hololens/images/finish-details.png b/devices/hololens/images/finish-details.png new file mode 100644 index 0000000000..ff3f53e5c8 Binary files /dev/null and b/devices/hololens/images/finish-details.png differ diff --git a/devices/hololens/images/finish.PNG b/devices/hololens/images/finish.PNG new file mode 100644 index 0000000000..7c65da1799 Binary files /dev/null and b/devices/hololens/images/finish.PNG differ diff --git a/devices/hololens/images/five.png b/devices/hololens/images/five.png new file mode 100644 index 0000000000..961f0e15b7 Binary files /dev/null and b/devices/hololens/images/five.png differ diff --git a/devices/hololens/images/four.png b/devices/hololens/images/four.png new file mode 100644 index 0000000000..0fef213b37 Binary files /dev/null and b/devices/hololens/images/four.png differ diff --git a/devices/hololens/images/icd-create-options-1703.PNG b/devices/hololens/images/icd-create-options-1703.PNG new file mode 100644 index 0000000000..007e740683 Binary files /dev/null and b/devices/hololens/images/icd-create-options-1703.PNG differ diff --git a/devices/hololens/images/icd-export-menu.png b/devices/hololens/images/icd-export-menu.png new file mode 100644 index 0000000000..20bd5258eb Binary files /dev/null and b/devices/hololens/images/icd-export-menu.png differ diff --git a/devices/hololens/images/icd-install.PNG b/devices/hololens/images/icd-install.PNG new file mode 100644 index 0000000000..a0c80683ff Binary files /dev/null and b/devices/hololens/images/icd-install.PNG differ diff --git a/devices/hololens/images/icd-simple-edit.png b/devices/hololens/images/icd-simple-edit.png new file mode 100644 index 0000000000..421159ac17 Binary files /dev/null and b/devices/hololens/images/icd-simple-edit.png differ diff --git a/devices/hololens/images/launchicon.png b/devices/hololens/images/launchicon.png new file mode 100644 index 0000000000..d469c68a2c Binary files /dev/null and b/devices/hololens/images/launchicon.png differ diff --git a/devices/hololens/images/multiappassignedaccesssettings.png b/devices/hololens/images/multiappassignedaccesssettings.png new file mode 100644 index 0000000000..86e2e0a451 Binary files /dev/null and b/devices/hololens/images/multiappassignedaccesssettings.png differ diff --git a/devices/hololens/images/one.png b/devices/hololens/images/one.png new file mode 100644 index 0000000000..7766e7d470 Binary files /dev/null and b/devices/hololens/images/one.png differ diff --git a/devices/hololens/images/provision-hololens-devices.png b/devices/hololens/images/provision-hololens-devices.png new file mode 100644 index 0000000000..c5ece7102f Binary files /dev/null and b/devices/hololens/images/provision-hololens-devices.png differ diff --git a/devices/hololens/images/set-up-device-details.PNG b/devices/hololens/images/set-up-device-details.PNG new file mode 100644 index 0000000000..85b7dd382e Binary files /dev/null and b/devices/hololens/images/set-up-device-details.PNG differ diff --git a/devices/hololens/images/set-up-device.PNG b/devices/hololens/images/set-up-device.PNG new file mode 100644 index 0000000000..0c9eb0e3ff Binary files /dev/null and b/devices/hololens/images/set-up-device.PNG differ diff --git a/devices/hololens/images/set-up-network-details-desktop.PNG b/devices/hololens/images/set-up-network-details-desktop.PNG new file mode 100644 index 0000000000..83911ccbd0 Binary files /dev/null and b/devices/hololens/images/set-up-network-details-desktop.PNG differ diff --git a/devices/hololens/images/set-up-network.PNG b/devices/hololens/images/set-up-network.PNG new file mode 100644 index 0000000000..a0e856c103 Binary files /dev/null and b/devices/hololens/images/set-up-network.PNG differ diff --git a/devices/hololens/images/seven.png b/devices/hololens/images/seven.png new file mode 100644 index 0000000000..285a92df0b Binary files /dev/null and b/devices/hololens/images/seven.png differ diff --git a/devices/hololens/images/six.png b/devices/hololens/images/six.png new file mode 100644 index 0000000000..e8906332ec Binary files /dev/null and b/devices/hololens/images/six.png differ diff --git a/devices/hololens/images/three.png b/devices/hololens/images/three.png new file mode 100644 index 0000000000..887fa270d7 Binary files /dev/null and b/devices/hololens/images/three.png differ diff --git a/devices/hololens/images/two.png b/devices/hololens/images/two.png new file mode 100644 index 0000000000..b8c2d52eaf Binary files /dev/null and b/devices/hololens/images/two.png differ diff --git a/devices/hololens/images/wizard-steps.png b/devices/hololens/images/wizard-steps.png new file mode 100644 index 0000000000..d97bae9a05 Binary files /dev/null and b/devices/hololens/images/wizard-steps.png differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index ddb5c29aea..786b38a1e3 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -1,13 +1,13 @@ --- title: Microsoft HoloLens (HoloLens) description: HoloLens provides extra features designed for business in the Commercial Suite. -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: hololens, devices +ms.prod: hololens ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium -ms.date: 11/29/2017 +ms.date: 07/27/2018 --- # Microsoft HoloLens @@ -21,14 +21,20 @@ ms.date: 11/29/2017 | Topic | Description | | --- | --- | +| [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. | +[Insider preview for Microsoft HoloLens](hololens-insider.md) | Learn about new HoloLens features available in the latest Insider Preview build. | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management | | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time | -| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business| +| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business | | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune | +| [Manage updates to HoloLens](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. | | [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app | +[Share HoloLens with multiple people](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. | | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging | -| [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens| -
+| [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens | +| [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Download and deploy new mixed reality apps for HoloLens, free for a limited time during public preview | +| [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens | +| [Change history for Microsoft HoloLens documentation](change-history-hololens.md) | See new and updated topics in the HoloLens documentation library. | ## Related resources diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index beb434c374..f4df822a14 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -40,6 +40,7 @@ ### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) ### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) ### [Using a room control system](use-room-control-system-with-surface-hub.md) +### [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md) ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) ## [Top support solutions for Surface Hub](support-solutions-surface-hub.md) diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md index 0e4f926262..618afe96b7 100644 --- a/devices/surface-hub/accessibility-surface-hub.md +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -3,12 +3,11 @@ title: Accessibility (Surface Hub) description: Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10. ms.assetid: 1D44723B-1162-4DF6-99A2-8A3F24443442 keywords: Accessibility settings, Settings app, Ease of Access -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: surfacehub +ms.prod: surface-hub ms.sitesec: library author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 08/16/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md index cd6644429f..5771b3f3c5 100644 --- a/devices/surface-hub/admin-group-management-for-surface-hub.md +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -3,12 +3,11 @@ title: Admin group management (Surface Hub) description: Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. ms.assetid: FA67209E-B355-4333-B903-482C4A3BDCCE keywords: admin group management, Settings app, configure Surface Hub -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub, security author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 4f299c72fd..ae2a7ce2e0 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -3,12 +3,11 @@ title: PowerShell for Surface Hub (Surface Hub) description: PowerShell scripts to help set up and manage your Microsoft Surface Hub. ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784 keywords: PowerShell, set up Surface Hub, manage Surface Hub -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 01/10/2018 ms.localizationpriority: medium --- @@ -19,7 +18,7 @@ ms.localizationpriority: medium PowerShell scripts to help set up and manage your Microsoft Surface Hub. - [PowerShell scripts for Surface Hub admins](#scripts-for-admins) - - [Create an on-premise account](#create-on-premise-ps-scripts) + - [Create an on-premises account](#create-on-premises-ps-scripts) - [Create a device account using Office 365](#create-os356-ps-scripts) - [Account verification script](#acct-verification-ps-scripts) - [Enable Skype for Business (EnableSfb.ps1)](#enable-sfb-ps-scripts) @@ -186,7 +185,7 @@ These scripts will create a device account for you. You can use the [Account ver The account creation scripts cannot modify an already existing account, but can be used to help you understand which cmdlets need to be run to configure the existing account correctly. -### Create an on-premise account +### Create an on-premises account Creates an account as described in [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md). diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md index 3ea97cffed..f34a48b0b7 100644 --- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md @@ -3,12 +3,11 @@ title: Applying ActiveSync policies to device accounts (Surface Hub) description: The Microsoft Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting. ms.assetid: FAABBA74-3088-4275-B58E-EC1070F4D110 keywords: Surface Hub, ActiveSync policies -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index c3ab437724..10317bd4e4 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -2,13 +2,12 @@ title: Change history for Surface Hub description: This topic lists new and updated topics for Surface Hub. keywords: change history -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 03/06/2018 +ms.topic: article +ms.date: 07/12/2018 ms.localizationpriority: medium --- @@ -16,12 +15,31 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## July 2018 + +New or changed topic | Description +--- | --- +[Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Added information and links for new Microsoft Whiteboard app release. + +## June 2018 + +New or changed topic | Description +--- | --- +[On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md) and [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Added (prerelease) instructions for disabling anonymous email and IM. + +## May 2018 + +New or changed topic | Description +--- | --- +[Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md) | New + ## April 2018 New or changed topic | Description --- | --- [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated instructions for Skype for Business Hybrid. + ## March 2018 New or changed topic | Description diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md index 5b3d1e35db..bef2ff6610 100644 --- a/devices/surface-hub/change-surface-hub-device-account.md +++ b/devices/surface-hub/change-surface-hub-device-account.md @@ -3,12 +3,11 @@ title: Change the Microsoft Surface Hub device account description: You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned. ms.assetid: AFC43043-3319-44BC-9310-29B1F375E672 keywords: change device account, change properties, Surface Hub -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index dd8d127472..241cfc77e6 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -2,12 +2,11 @@ title: Connect other devices and display with Surface Hub description: You can connect other device to your Surface Hub to display content. ms.assetid: 8BB80FA3-D364-4A90-B72B-65F0F0FC1F0D -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- @@ -34,7 +33,7 @@ When connecting external devices and displays to a Surface Hub, there are severa ## Guest Mode -Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be be displayed as a black image. To display your content without violating HDCP requirements, use the keypad on the right side of the Surface Hub to directly choose the external source. +Guest Mode uses a wired connection, so people can display content from their devices to the Surface Hub. If the source device is Windows-based, that device can also provide Touchback and Inkback. Surface Hub's internal PC takes video and audio from the connected device and presents them on the Surface Hub. If Surface Hub encounters a High-Bandwidth Digital Content Protection (HDCP) signal, the source will be displayed as a black image. To display your content without violating HDCP requirements, use the keypad on the right side of the Surface Hub to directly choose the external source. >[!NOTE] >When an HDCP source is connected, use the side keypad to change source inputs. diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index f6f48f6401..6b6492acc1 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -3,13 +3,12 @@ title: Create a device account using UI (Surface Hub) description: If you prefer to use a graphical user interface, you can create a device account for your Microsoft Surface Hub with either the Office 365 UI or the Exchange Admin Center. ms.assetid: D11BCDC4-DABA-4B9A-9ECB-58E02CC8218C keywords: create device account, Office 365 UI, Exchange Admin center, Office 365 admin center, Skype for Business, mobile device mailbox policy -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 10/20/2017 +ms.topic: article +ms.date: 05/04/2018 ms.localizationpriority: medium --- @@ -68,21 +67,7 @@ If you prefer to use a graphical user interface, you can create a device account ![Image with new mobile device mailbox policy in Exchange admin center.](images/setupdeviceaccto365-12.png) -6. Now, to apply the ActiveSync policy without using PowerShell, you can do the following: In the EAC, click **Recipients** > **Mailboxes** and then select a mailbox. - ![Image showing mailbox in Exchange admin center.](images/setupdeviceaccto365-13.png) - -7. In the Details pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen. - - ![Image showing mobile device details for the mailbox.](images/setupdeviceaccto365-14.png) - -8. The mobile device mailbox policy that’s currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**. - - ![Image with details for the mobile device policy.](images/setupdeviceaccto365-15.png) - -9. Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**. - - ![Image showing multiple mobile device mailbox policies.](images/setupdeviceaccto365-16.png) ### Use PowerShell to complete device account creation @@ -152,19 +137,19 @@ Now that you're connected to the online services, you can finish setting up the 1. You’ll need to enter the account’s mail address and create a variable with that value: - ``` syntax + ```powershell $mailbox = (Get-Mailbox ) ``` To store the value get it from the mailbox: - ``` syntax + ```powershell $strEmail = $mailbox.WindowsEmailAddress ``` Print the value: - ``` syntax + ```powershell $strEmail ``` @@ -172,13 +157,17 @@ Now that you're connected to the online services, you can finish setting up the ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-23.png) +2. Run the following cmdlet: + ```powershell + Set-CASMailbox $strEmail -ActiveSyncMailboxPolicy "SurfaceHubDeviceMobilePolicy" + ``` 4. Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. ``` syntax - Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false - Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" + Set-CalendarProcessing -Identity $strEmail -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false + Set-CalendarProcessing -Identity $strEmail -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" ``` ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-26.png) @@ -211,7 +200,7 @@ In order to enable Skype for Business, your environment will need to meet the fo 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell - Enable-CsMeetingRoom -Identity $rm -RegistrarPool + Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` @@ -244,7 +233,8 @@ You can use the Exchange Admin Center to create a device account: ### Create a mobile device mailbox policy from the Exchange Admin Center ->**Note**  If you want to create and assign a policy to the account you created, and are using Exchange 2010, look up the corresponding information regarding policy creation and policy assignment when using the EMC (Exchange management console). +>[!NOTE] +>If you want to create and assign a policy to the account you created, and are using Exchange 2010, look up the corresponding information regarding policy creation and policy assignment when using the EMC (Exchange management console).   @@ -310,7 +300,7 @@ Now that you're connected to the online services, you can finish setting up the You will see the correct email address. -2. You need to convert the account into to a room mailbox, so run: +2. You need to convert the account into a room mailbox, so run: ``` syntax Set-Mailbox $strEmail -Type Room @@ -325,8 +315,8 @@ Now that you're connected to the online services, you can finish setting up the 4. Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. ``` syntax - Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false - Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" + Set-CalendarProcessing -Identity $strEmail -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false + Set-CalendarProcessing -Identity $strEmail -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!" ``` 5. Now we have to set some properties in AD. To do that, you need the alias of the account (this is the part of the UPN that becomes before the “@”). @@ -369,7 +359,7 @@ In order to enable Skype for Business, your environment will need to meet the fo 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell - Enable-CsMeetingRoom -Identity $rm -RegistrarPool + Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md index cc5d233b08..3895e5aea7 100644 --- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -3,12 +3,11 @@ title: Create and test a device account (Surface Hub) description: This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype. ms.assetid: C8605B5F-2178-4C3A-B4E0-CE32C70ECF67 keywords: create and test device account, device account, Surface Hub and Microsoft Exchange, Surface Hub and Skype -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 03/06/2018 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index a595ea198c..b4ee4473f6 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -3,12 +3,11 @@ title: Device reset (Surface Hub) description: You may wish to reset your Microsoft Surface Hub. ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF keywords: reset Surface Hub -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- @@ -77,7 +76,7 @@ If the device account gets into an unstable state or the Admin account is runnin On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). -1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. +1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) for help with locating the power switch. 2. The device should automatically boot into Windows RE. 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index 61120d6a25..ae478d22b4 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -2,12 +2,11 @@ title: Differences between Surface Hub and Windows 10 Enterprise description: This topic explains the differences between Windows 10 Team and Windows 10 Enterprise. keywords: change history -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: isaiahng ms.author: jdecker +ms.topic: article ms.date: 11/01/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/enable-8021x-wired-authentication.md b/devices/surface-hub/enable-8021x-wired-authentication.md index e23860d5ba..810dc3d2ce 100644 --- a/devices/surface-hub/enable-8021x-wired-authentication.md +++ b/devices/surface-hub/enable-8021x-wired-authentication.md @@ -1,12 +1,11 @@ --- title: Enable 802.1x wired authentication description: 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 11/15/2017 ms.localizationpriority: medium --- @@ -57,5 +56,5 @@ This OMA-URI node takes a text string of XML as a parameter. The XML provided as ## Adding certificates -If your selected authentication method is certificate-based, you will will need to [create a provisioning package](provisioning-packages-for-surface-hub.md), [utilize MDM](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp), or import a certificate from settings (**Settings** > **Update and Security** > **Certificates**) to deploy those certificates to your Surface Hub device in the appropriate Certificate Store. When adding certificates, each PFX must contain only one certificate (a PFX cannot have multiple certificates). +If your selected authentication method is certificate-based, you will need to [create a provisioning package](provisioning-packages-for-surface-hub.md), [utilize MDM](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp), or import a certificate from settings (**Settings** > **Update and Security** > **Certificates**) to deploy those certificates to your Surface Hub device in the appropriate Certificate Store. When adding certificates, each PFX must contain only one certificate (a PFX cannot have multiple certificates). diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md index 1c936f687a..2975a20db0 100644 --- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md @@ -3,12 +3,11 @@ title: Microsoft Exchange properties (Surface Hub) description: Some Microsoft Exchange properties of the device account must be set to particular values to have the best meeting experience on Microsoft Surface Hub. ms.assetid: 3E84393B-C425-45BF-95A6-D6502BA1BF29 keywords: Microsoft Exchange properties, device account, Surface Hub, Windows PowerShell cmdlet -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md index 7ef7ca904e..c56335e042 100644 --- a/devices/surface-hub/finishing-your-surface-hub-meeting.md +++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md @@ -2,12 +2,11 @@ title: End session - ending a Surface Hub meeting description: To end a Surface Hub meeting, tap End session. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index b0d0d183ef..2574c2cbf6 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -3,12 +3,11 @@ title: First-run program (Surface Hub) description: The term \ 0034;first run \ 0034; refers to the series of steps you'll go through the first time you power up your Microsoft Surface Hub, and means the same thing as \ 0034;out-of-box experience \ 0034; (OOBE). This section will walk you through the process. ms.assetid: 07C9E84C-1245-4511-B3B3-75939AD57C49 keywords: first run, Surface Hub, out-of-box experience, OOBE -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index b464e456dc..d72676e762 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -3,12 +3,11 @@ title: Hybrid deployment (Surface Hub) description: A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub. ms.assetid: 7BFBB7BE-F587-422E-9CE4-C9DDF829E4F1 keywords: hybrid deployment, device account for Surface Hub, Exchange hosted on-prem, Exchange hosted online -ms.prod: w10 -ms.mktglfcycl: deploy +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 04/12/2018 ms.localizationpriority: medium --- @@ -142,7 +141,7 @@ Next, you enable the device account with [Skype for Business Online](#skype-for- To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need. -| Skype room system scenario | If you have Office 365 Premium, Office 365 ProPlus, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have have Skype for Business Server 2015 (on-premises or hybrid), you need: | +| Skype room system scenario | If you have Office 365 Premium, Office 365 ProPlus, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have Skype for Business Server 2015 (on-premises or hybrid), you need: | | --- | --- | --- | --- | | Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL | | Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL | diff --git a/devices/surface-hub/images/shrt-complete.png b/devices/surface-hub/images/shrt-complete.png new file mode 100644 index 0000000000..64525f76a3 Binary files /dev/null and b/devices/surface-hub/images/shrt-complete.png differ diff --git a/devices/surface-hub/images/shrt-done.png b/devices/surface-hub/images/shrt-done.png new file mode 100644 index 0000000000..ea05c13051 Binary files /dev/null and b/devices/surface-hub/images/shrt-done.png differ diff --git a/devices/surface-hub/images/shrt-download.png b/devices/surface-hub/images/shrt-download.png new file mode 100644 index 0000000000..8eee758a54 Binary files /dev/null and b/devices/surface-hub/images/shrt-download.png differ diff --git a/devices/surface-hub/images/shrt-drive-start.png b/devices/surface-hub/images/shrt-drive-start.png new file mode 100644 index 0000000000..490998f214 Binary files /dev/null and b/devices/surface-hub/images/shrt-drive-start.png differ diff --git a/devices/surface-hub/images/shrt-drive.png b/devices/surface-hub/images/shrt-drive.png new file mode 100644 index 0000000000..9afeb4b7f3 Binary files /dev/null and b/devices/surface-hub/images/shrt-drive.png differ diff --git a/devices/surface-hub/images/shrt-guidance.png b/devices/surface-hub/images/shrt-guidance.png new file mode 100644 index 0000000000..c878761704 Binary files /dev/null and b/devices/surface-hub/images/shrt-guidance.png differ diff --git a/devices/surface-hub/images/shrt-shortcut.png b/devices/surface-hub/images/shrt-shortcut.png new file mode 100644 index 0000000000..d71d3e163c Binary files /dev/null and b/devices/surface-hub/images/shrt-shortcut.png differ diff --git a/devices/surface-hub/images/shrt-start.png b/devices/surface-hub/images/shrt-start.png new file mode 100644 index 0000000000..93356c889b Binary files /dev/null and b/devices/surface-hub/images/shrt-start.png differ diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index 06c8519cfc..06b5ab6450 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -2,12 +2,11 @@ title: Microsoft Surface Hub admin guide description: Documents related to the Microsoft Surface Hub. ms.assetid: 69C99E91-1441-4318-BCAF-FE8207420555 -ms.prod: w10 -ms.mktglfcycl: explore +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 09/07/2017 ms.localizationpriority: medium --- @@ -52,3 +51,10 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof +## Additional resources + +- [Surface Hub update history](https://support.microsoft.com/help/4037666/surface-surface-hub-update-history) +- [Surface IT Pro Blog](https://blogs.technet.microsoft.com/surface/) +- [Surface Playlist of videos](https://www.youtube.com/playlist?list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ) +- [Microsoft Surface on Twitter](https://twitter.com/surface) + diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index b0737d1f6b..ffa77e640e 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -3,12 +3,11 @@ title: Install apps on your Microsoft Surface Hub description: Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business. ms.assetid: 3885CB45-D496-4424-8533-C9E3D0EDFD94 keywords: install apps, Microsoft Store, Microsoft Store for Business -ms.prod: w10 -ms.mktglfcycl: deploy +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub, store author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 10/20/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md index c59fd9ac8a..b53d27448f 100644 --- a/devices/surface-hub/local-management-surface-hub-settings.md +++ b/devices/surface-hub/local-management-surface-hub-settings.md @@ -2,12 +2,11 @@ title: Local management Surface Hub settings description: How to manage Surface Hub settings with Settings. keywords: manage Surface Hub, Surface Hub settings -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index dfed286bc9..d0e895cd1a 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -3,12 +3,11 @@ title: Manage settings with an MDM provider (Surface Hub) description: Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution. ms.assetid: 18EB8464-6E22-479D-B0C3-21C4ADD168FE keywords: mobile device management, MDM, manage policies -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub, mobility author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 03/07/2018 ms.localizationpriority: medium --- @@ -45,16 +44,8 @@ You can enroll your Surface Hubs using bulk, manual, or automatic enrollment. Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory. -**To enable automatic enrollment for Microsoft Intune** -1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. -2. Click the **Applications** tab, then click **Microsoft Intune**. -3. Under **Manage devices for these users**, click **Groups**. -4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. -5. Click the checkmark button, then click **Save**. - For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment). - ## Manage Surface Hub settings with MDM You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML. @@ -93,7 +84,7 @@ For more information, see [SurfaceHub configuration service provider](https://ms ### Supported Windows 10 settings -In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://msdn.microsoft.com/library/windows/hardware/dn920025.aspx). +In addition to Surface Hub-specific settings, there are numerous settings common to all Windows 10 devices. These settings are defined in the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference). The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML. diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md index c79f175559..ac7d714624 100644 --- a/devices/surface-hub/manage-surface-hub-settings.md +++ b/devices/surface-hub/manage-surface-hub-settings.md @@ -2,12 +2,11 @@ title: Manage Surface Hub settings description: This section lists topics for managing Surface Hub settings. keywords: Surface Hub accessibility settings, device account, device reset, windows updates, wireless network management -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index 612bdeb704..9518232b8b 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -3,12 +3,11 @@ title: Manage Microsoft Surface Hub description: How to manage your Surface Hub after finishing the first-run program. ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1 keywords: manage Surface Hub -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 01/17/2018 ms.localizationpriority: medium --- @@ -40,7 +39,8 @@ Learn about managing and updating Surface Hub. | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.| | [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. | [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. -| [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.| +| [Using a room control system](https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.| +[Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md) | Use the Surface Hub Recovery Tool to re-image the Surface Hub SSD. ## Related topics diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 0de4ed8d77..6dcce110f5 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -3,12 +3,11 @@ title: Windows updates (Surface Hub) description: You can manage Windows updates on your Microsoft Surface Hub by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS). ms.assetid: A737BD50-2D36-4DE5-A604-55053D549045 keywords: manage Windows updates, Surface Hub, Windows Server Update Services, WSUS -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 11/03/2017 ms.localizationpriority: medium --- @@ -45,7 +44,7 @@ Microsoft publishes two types of Surface Hub releases broadly on an ongoing basi In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes. -The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime ois finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates. +The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates. For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview). @@ -112,9 +111,10 @@ Once the Windows 10 Team Anniversary Update is installed, you can remove these a To ensure the device is always available for use during business hours, Surface Hub performs its administrative functions during a specified maintenance window. During the maintenance window, the Surface Hub automatically installs updates through Windows Update or WSUS, and reboots the device if needed. Surface Hub follows these guidelines to apply updates: -- Install the update during the next maintenance window. If a meeting is scheduled to start during a maintenance window, or the Surface Hub sensors detect that the device is being used, the pending update will be postponed to the following maintenance window. -- If the next maintenance window is past the update’s prescribed grace period, the device will calculate the next available slot during business hours using the estimated install time from the update’s metadata. It will continue to postpone the update if a meeting is scheduled, or the Surface Hub sensors detect that the device is being used. -- If a pending update is past the update’s prescribed grace period, the update will be immediately installed. If a reboot is needed, the Surface Hub will automatically reboot during the next maintenance window. +- Install the update during the next maintenance window. If a meeting is scheduled to start during a maintenance window, or the Surface Hub sensors detect that the device is being used, the pending update will be postponed to the following maintenance window. +- If the next maintenance window is past the update’s prescribed grace period, the device will calculate the next available slot during business hours using the estimated install time from the update’s metadata. It will continue to postpone the update if a meeting is scheduled, or the Surface Hub sensors detect that the device is being used. +- If the next maintenance window is **not** past the update's grace period, the Surface Hub will continue to postpone the update. +- If a reboot is needed, the Surface Hub will automatically reboot during the next maintenance window. > [!NOTE] > Allow time for updates when you first setup your Surface Hub. For example, a backlog of virus definitions may be available, which should be immediately installed. @@ -131,6 +131,11 @@ A default maintenance window is set for all new Surface Hubs: To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details. +## More information + +- [Blog post: Servicing, Flighting, and Managing updates for Surface Hub (With Intune, of course!)](https://blogs.technet.microsoft.com/y0av/2018/05/31/7-3/) + + ## Related topics [Manage Microsoft Surface Hub](manage-surface-hub.md) diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md index 341ce3a1d0..7b6737d1ac 100644 --- a/devices/surface-hub/miracast-over-infrastructure.md +++ b/devices/surface-hub/miracast-over-infrastructure.md @@ -1,12 +1,11 @@ --- title: Miracast on existing wireless network or LAN description: Windows 10 enables you to send a Miracast stream over a local network. -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 08/03/2017 ms.localizationpriority: medium --- @@ -36,10 +35,11 @@ If you have a Surface Hub or other Windows 10 device that has been updated to Wi - The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703. - A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Surface Hub or device is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the Surface Hub or deviceneeds to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. -- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- The DNS Hostname (device name) of the Surface Hub or device needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled within System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests. It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md index f8843ffe57..6f3bdf62ec 100644 --- a/devices/surface-hub/miracast-troubleshooting.md +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -1,12 +1,11 @@ --- title: Troubleshoot Miracast on Surface Hub description: Learn how to resolve issues with Miracast on Surface Hub. -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md index 7fe0d6aeff..ac60abe27d 100644 --- a/devices/surface-hub/monitor-surface-hub.md +++ b/devices/surface-hub/monitor-surface-hub.md @@ -3,12 +3,11 @@ title: Monitor your Microsoft Surface Hub description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). ms.assetid: 1D2ED317-DFD9-423D-B525-B16C2B9D6942 keywords: monitor Surface Hub, Microsoft Operations Management Suite, OMS -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 7c6a90015d..953c771d7c 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -3,13 +3,11 @@ title: On-premises deployment single forest (Surface Hub) description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6 keywords: single forest deployment, on prem deployment, device account, Surface Hub -ms.prod: w10 -ms.mktglfcycl: deploy +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 04/13/2018 +ms.date: 06/01/2018 ms.localizationpriority: medium --- @@ -18,7 +16,7 @@ ms.localizationpriority: medium This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. -If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md). +If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premises-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md). 1. Start a remote PowerShell session from a PC and connect to Exchange. @@ -104,10 +102,54 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 Set-CsMeetingRoom -Identity HUB01 -DomainController DC-ND-001.contoso.com -LineURI “tel:+14255550555;ext=50555" -EnterpriseVoiceEnabled $true ``` - Again, you'll need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same. + Again, you need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same. -  + ## Disable anonymous email and IM + + +>[!WARNING] +>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account. + +Assume you have a per-user client policy assigned to each meeting room device with an identity of **SurfaceHubPolicy**. To disable anonymous email and messaging, you add a clientPolicyEntry to this client policy by using the following commands. + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $false +$clientPolicy = Get-CsClientPolicy -Identity SurfaceHubPolicy +$clientPolicy.PolicyEntry.Add($policyEntry) +Set-CsClientPolicy -Instance $clientPolicy +``` + +To verify that the policy has been set: + +``` +Select-Object -InputObject $clientPolicy -Property PolicyEntry +``` + +The output should be: + +``` +PolicyEntry +----------- +{Name=AllowResourceAccountSendMessage;Value=False} +``` + + +To change the policy entry: + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true +$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Replace = $policyEntry} +``` + +To remove the policy entry: + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true +$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Remove = $policyEntry} +```   diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index 9456eb9891..ff5af2b652 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -2,13 +2,11 @@ title: On-premises deployment multi-forest (Surface Hub) description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment. keywords: multi forest deployment, on prem deployment, device account, Surface Hub -ms.prod: w10 -ms.mktglfcycl: deploy +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 07/27/2017 +ms.date: 06/01/2018 ms.localizationpriority: medium --- @@ -17,7 +15,7 @@ ms.localizationpriority: medium This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment. -If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md). +If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premises-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md). 1. Start a remote PowerShell session from a PC and connect to Exchange. @@ -97,7 +95,50 @@ If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 o You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity. +## Disable anonymous email and IM +>[!WARNING] +>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account. + +Assume you have a per-user client policy assigned to each meeting room device with an identity of **SurfaceHubPolicy**. To disable anonymous email and messaging, you add a clientPolicyEntry to this client policy by using the following commands. + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $false +$clientPolicy = Get-CsClientPolicy -Identity SurfaceHubPolicy +$clientPolicy.PolicyEntry.Add($policyEntry) +Set-CsClientPolicy -Instance $clientPolicy +``` + +To verify that the policy has been set: + +``` +Select-Object -InputObject $clientPolicy -Property PolicyEntry +``` + +The output should be: + +``` +PolicyEntry +----------- +{Name=AllowResourceAccountSendMessage;Value=False} +``` + + +To change the policy entry: + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true +$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Replace = $policyEntry} +``` + +To remove the policy entry: + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true +$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Remove = $policyEntry} +```   diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 6a314c317a..d5c567a57f 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -3,12 +3,11 @@ title: Online deployment with Office 365 (Surface Hub) description: This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. ms.assetid: D325CA68-A03F-43DF-8520-EACF7C3EDEC1 keywords: device account for Surface Hub, online deployment -ms.prod: w10 -ms.mktglfcycl: deploy +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 02/21/2018 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md index 859034da95..be86720a3a 100644 --- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md @@ -3,12 +3,11 @@ title: Password management (Surface Hub) description: Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. ms.assetid: 0FBFB546-05F0-430E-905E-87111046E4B8 keywords: password, password management, password rotation, device account -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub, security author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md index dc9cdf25ad..f750d07a4f 100644 --- a/devices/surface-hub/physically-install-your-surface-hub-device.md +++ b/devices/surface-hub/physically-install-your-surface-hub-device.md @@ -3,12 +3,11 @@ title: Physically install Microsoft Surface Hub description: The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation. ms.assetid: C764DBFB-429B-4B29-B4E8-D7F0073BC554 keywords: Surface Hub, readiness guide, installation location, mounting options -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub, readiness author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index cef7042de1..b9239014a4 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -3,12 +3,11 @@ title: Prepare your environment for Microsoft Surface Hub description: This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub. ms.assetid: 336A206C-5893-413E-A270-61BFF3DF7DA9 keywords: prepare environment, features of Surface Hub, create and test device account, check network availability -ms.prod: w10 -ms.mktglfcycl: plan +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 12/04/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md index b357f97f9c..ad3c3d7d7e 100644 --- a/devices/surface-hub/provisioning-packages-for-surface-hub.md +++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md @@ -3,12 +3,11 @@ title: Create provisioning packages (Surface Hub) description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages. ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 keywords: add certificate, provisioning package -ms.prod: w10 -ms.mktglfcycl: deploy +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md index e57046e72c..5038e225b5 100644 --- a/devices/surface-hub/remote-surface-hub-management.md +++ b/devices/surface-hub/remote-surface-hub-management.md @@ -2,12 +2,11 @@ title: Remote Surface Hub management description: This section lists topics for managing Surface Hub. keywords: remote management, MDM, install apps, monitor Surface Hub, Operations Management Suite, OMS -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md index a872c380d5..3a013dd827 100644 --- a/devices/surface-hub/save-bitlocker-key-surface-hub.md +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -3,12 +3,11 @@ title: Save your BitLocker key (Surface Hub) description: Every Microsoft Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys. ms.assetid: E11E4AB6-B13E-4ACA-BCE1-4EDC9987E4F2 keywords: Surface Hub, BitLocker, Bitlocker recovery keys -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub, security author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md index 4a88209a97..80178e7c22 100644 --- a/devices/surface-hub/set-up-your-surface-hub.md +++ b/devices/surface-hub/set-up-your-surface-hub.md @@ -3,12 +3,11 @@ title: Set up Microsoft Surface Hub description: Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. ms.assetid: 4D1722BC-704D-4471-BBBE-D0500B006221 keywords: set up instructions, Surface Hub, setup worksheet, first-run program -ms.prod: w10 -ms.mktglfcycl: deploy +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md index 06234fe14a..f66fce4ef7 100644 --- a/devices/surface-hub/setup-worksheet-surface-hub.md +++ b/devices/surface-hub/setup-worksheet-surface-hub.md @@ -3,12 +3,11 @@ title: Setup worksheet (Surface Hub) description: When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section. ms.assetid: AC6F925B-BADE-48F5-8D53-8B6FFF6EE3EB keywords: Setup worksheet, pre-setup, first-time setup -ms.prod: w10 -ms.mktglfcycl: deploy +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md index 4f3303c2c2..4b3c12deab 100644 --- a/devices/surface-hub/skype-hybrid-voice.md +++ b/devices/surface-hub/skype-hybrid-voice.md @@ -2,12 +2,11 @@ title: Online or hybrid deployment using Skype Hybrid Voice environment (Surface Hub) description: This topic explains how to enable Skype for Business Cloud PBX with on premises PSTN connectivity via Cloud Connector Edition or Skype for Business 2015 pool. keywords: hybrid deployment, Skype Hybrid Voice -ms.prod: w10 -ms.mktglfcycl: deploy +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/support-solutions-surface-hub.md b/devices/surface-hub/support-solutions-surface-hub.md index 6b03449a2e..66d4455737 100644 --- a/devices/surface-hub/support-solutions-surface-hub.md +++ b/devices/surface-hub/support-solutions-surface-hub.md @@ -3,12 +3,11 @@ title: Top support solutions for Microsoft Surface Hub description: Find top solutions for common issues using Surface Hub. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A keywords: Troubleshoot common problems, setup issues -ms.prod: w10 -ms.mktglfcycl: support +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: kaushika-msft ms.author: jdecker +ms.topic: article ms.date: 10/24/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md index 4e76e525e0..d5f9dc8d57 100644 --- a/devices/surface-hub/surface-hub-authenticator-app.md +++ b/devices/surface-hub/surface-hub-authenticator-app.md @@ -1,12 +1,11 @@ --- title: Sign in to Surface Hub with Microsoft Authenticator description: Use Microsoft Authenticator on your mobile device to sign in to Surface Hub. -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 08/28/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md index 71706b04fe..8ddafa924a 100644 --- a/devices/surface-hub/surface-hub-downloads.md +++ b/devices/surface-hub/surface-hub-downloads.md @@ -1,12 +1,11 @@ --- title: Useful downloads for Microsoft Surface Hub description: Downloads related to the Microsoft Surface Hub. -ms.prod: w10 -ms.mktglfcycl: explore +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 08/22/2017 ms.localizationpriority: medium --- @@ -19,7 +18,7 @@ This topic provides links to useful Surface Hub documents, such as product datas | --- | --- | | [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) | | [Surface Hub Setup Guide (English, French, Spanish) (PDF)](http://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. | -| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface Hub Quick Reference Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. | +| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface%20Hub%20Quick%20Reference%20Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. | | [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. | | [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. | | [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. | diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md new file mode 100644 index 0000000000..ef1cd24725 --- /dev/null +++ b/devices/surface-hub/surface-hub-recovery-tool.md @@ -0,0 +1,99 @@ +--- +title: Using the Surface Hub Recovery Tool +description: How to use the Surface Hub Recovery Tool to re-image the SSD. +ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1 +keywords: manage Surface Hub +ms.prod: surface-hub +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 05/22/2018 +ms.localizationpriority: medium +--- + +# Using the Surface Hub Recovery Tool + +The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/details.aspx?id=52210) helps you re-image your Surface Hub Solid State Drive (SSD) using a Windows 10 desktop device, without calling support or replacing the SSD. With this tool, you can reimage an SSD that has an unknown Administrator password, boot errors, was unable to complete a cloud recovery, or for a device that has an older version of the operating system. The tool will not fix physically damaged SSDs. + +To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf). + +>[!IMPORTANT] +>Do not let the device go to sleep or interrupt the download of the image file. + +If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support). + +## Prerequisites + +### Mandatory + +- Host PC running 64-bit version of Windows 10, version 1607 or higher. +- Internet access +- Open USB 2.0 or greater port +- USB-to-SATA cable +- 10 GB of free disk space on the host computer +- SSDs shipped with Surface Hub or a SSD provided by Support as a replacement. SSDs not supplied by Microsoft are not supported. + +### Recommended + +- High-speed Internet connection +- Open USB 3.0 port +- USB 3.0 or higher USB-to-SATA cable +- The imaging tool was tested with the following make and model of cables: + - Startech USB312SAT3CB + - Rosewill RCUC16001 + - Ugreen 20231 + +## Download Surface Hub Recovery Tool + +Surface Hub Recovery Tool is available for download from [Surface Hub Tools for IT](https://www.microsoft.com/download/details.aspx?id=52210) under the file name **SurfaceHub_Recovery_v1.4.137.0.msi**. + +To start the download, click **Download**, choose **SurfaceHub_Recovery_v1.4.137.0.msi** from the list, and click **Next**. From the pop-up, choose one of the following: + +- Click **Run** to start the installation immediately. +- Click **Save** to copy the download to your computer for later installation. + +Install Surface Hub Recovery Tool on the host PC. + +## Run Surface Hub Recovery Tool + +1. On the host PC, select the **Start** button, scroll through the alphabetical list on the left, and select the recovery tool shortcut. + + ![Microsoft Surface Hub Recovery Tool shortcut](images/shrt-shortcut.png) + +2. Click **Start**. + + ![Recovery Tool Start button](images/shrt-start.png) + +3. In the **Guidance** window, click **Next**. + + ![Do not let your machine go to sleep guidance](images/shrt-guidance.png) + +4. click **Yes** to download the image. Time to download the recovery image is dependent on internet connection speeds. On an average corporate connection, it can take up to an hour to download the 8GB image file. + + ![Download the image?](images/shrt-download.png) + +5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows. The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf). + + ![Connect SSD](images/shrt-drive.png) + +6. When the drive is recognized, click **Start** to begin the re-imaging process. On the warning that all data on the drive will be erased, click **OK**. + + ![Start re-imaging the SSD](images/shrt-drive-start.png) + + Prior to applying the system image to the drive, the SSD is repartitioned and formatted. Copying the system binaries will take approximately 30 minutes, but can take longer depending on the speed of your USB bus, the cable being used, or antivirus software installed on your system. + + ![Copying done](images/shrt-done.png) + + ![Reimaging complete](images/shrt-complete.png) + +## Troubleshooting and common problems + +Issue | Notes +--- | --- +The tool fails to image the SSD | Make sure you are using a factory-supplied SSD and one of the tested cables. +The reimaging process appears halted/frozen | It is safe to close and restart the Surface Hub Recovery Tool with no ill effect to the SSD. +The drive isn’t recognized by the tool | Verify that the Surface Hub SSD is enumerated as a Lite-On drive, "LITEON L CH-128V2S USB Device". If the drive is recognized as another named device, your current cable isn’t compatible. Try another cable or one of the tested cable listed above. +Error: -2147024809 | Open Disk Manager and remove the partitions on the Surface Hub drive. Disconnect and reconnect the drive to the host machine. Restart the imaging tool again. + +If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support). \ No newline at end of file diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md index 07671c8e12..5e6469aab1 100644 --- a/devices/surface-hub/surface-hub-start-menu.md +++ b/devices/surface-hub/surface-hub-start-menu.md @@ -1,12 +1,11 @@ --- title: Configure Surface Hub Start menu description: Use MDM to customize the Start menu on Surface Hub. -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 01/17/2018 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md index 87de677e90..c4051021b6 100644 --- a/devices/surface-hub/surface-hub-wifi-direct.md +++ b/devices/surface-hub/surface-hub-wifi-direct.md @@ -2,12 +2,11 @@ title: How Surface Hub addresses Wi-Fi Direct security issues description: This topic provides guidance on Wi-Fi Direct security risks. keywords: change history -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md index 59ced8ff5d..1473174177 100644 --- a/devices/surface-hub/surfacehub-whats-new-1703.md +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -1,12 +1,11 @@ --- title: What's new in Windows 10, version 1703 for Surface Hub description: Windows 10, version 1703 (Creators Update) brings new features to Microsoft Surface Hub. -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: devices +ms.prod: surface-hub ms.sitesec: library author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 01/18/2018 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index 1056ed9472..a6158edff8 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -3,12 +3,11 @@ title: Troubleshoot Microsoft Surface Hub description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A keywords: Troubleshoot common problems, setup issues, Exchange ActiveSync errors -ms.prod: w10 -ms.mktglfcycl: support +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 03/16/2018 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md index b108f07936..f64a9fbf5d 100644 --- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md +++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md @@ -4,12 +4,11 @@ description: Troubleshoot common problems, including setup issues, Exchange Acti keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"] author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium -ms.prod: w10 -ms.mktglfcycl: support +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub --- # Configure domain name for Skype for Business @@ -17,7 +16,7 @@ ms.pagetype: surfacehub There are a few scenarios where you need to specify the domain name of your Skype for Business server: - **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business. - **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account. -- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub. +- **Working with certificates** - Large organizations with on-premises Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub. **To configure the domain name for your Skype for Business server**
1. On Surface Hub, open **Settings**. diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 2ab4e26c88..7c5fc0e5d9 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -3,12 +3,11 @@ title: Using a room control system (Surface Hub) description: Room control systems can be used with your Microsoft Surface Hub. ms.assetid: DC365002-6B35-45C5-A2B8-3E1EB0CB8B50 keywords: room control system, Surface Hub -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 7ad560c77e..10f086f358 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -1,19 +1,21 @@ --- title: Set up and use Whiteboard to Whiteboard collaboration description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 10/20/2017 +ms.topic: article +ms.date: 07/12/2018 ms.localizationpriority: medium --- # Set up and use Whiteboard to Whiteboard collaboration (Surface Hub) -Microsoft Whiteboard’s latest update (17.8302.5275X or greater) includes the capability for two Surface Hubs to collaborate in real time on the same board. +The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board. + +>[!IMPORTANT] +>A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen cannot collaborate with the new version that can be installed on the PC. If people in your organization install the new Whiteboard on their PCs, you must install the new Whiteboard on Surface Hub to enable collaboration. To learn more about installing the new Whiteboard on your Surface Hub, see [Whiteboard on Surface Hub opt-in](https://go.microsoft.com/fwlink/p/?LinkId=2004277). By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together. diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md index b9348bc48d..516ddeab67 100644 --- a/devices/surface-hub/wireless-network-management-for-surface-hub.md +++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md @@ -3,12 +3,11 @@ title: Wireless network management (Surface Hub) description: Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet wireless, and wired. While both provide network access, we recommend you use a wired connection. ms.assetid: D2CFB90B-FBAA-4532-B658-9AA33CAEA31D keywords: network connectivity, wired connection -ms.prod: w10 -ms.mktglfcycl: manage +ms.prod: surface-hub ms.sitesec: library -ms.pagetype: surfacehub, networking author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 ms.localizationpriority: medium --- diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 778c88fa47..6bb7a33e57 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,6 +1,6 @@ # [Surface](index.md) ## [Deploy Surface devices](deploy.md) -### [Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md) +### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) ### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsc.md) #### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index 4e5dde8200..edc8b8e993 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -3,12 +3,14 @@ title: Advanced UEFI security features for Surface Pro 3 (Surface) description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices. ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93 keywords: security, features, configure, hardware, device, custom, script, update -ms.localizationpriority: high +ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: miladCA +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index a374627e4d..7b010ca138 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -5,13 +5,22 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.date: 02/12/2018 +ms.author: jdecker +ms.topic: article +ms.date: 05/15/2018 --- # Change history for Surface documentation This topic lists new and updated topics in the Surface documentation library. +## May 2018 + +|New or changed topic | Description | +| --- | --- | +|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.58.0 information | +|[Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC)](surface-device-compatibility-with-windows-10-ltsc.md) | Removed note box around content | + ## February 2018 |New or changed topic | Description | @@ -23,7 +32,7 @@ This topic lists new and updated topics in the Surface documentation library. |New or changed topic | Description | | --- | --- | -|[Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md) | New article | +|[Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) | New article | |[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.45.0 information | |[Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC)](surface-device-compatibility-with-windows-10-ltsc.md) | Updated Current Branch (CB) or Current Branch for Business (CBB) servicing options with Semi-Annual Channel (SAC) information | |[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | Added Surface Book 2, Surface Laptop, Surface Pro, Surface Pro with LTE Advanced, and Surface Pro information | diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md index 7f1ca137fd..1160b8cacc 100644 --- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md +++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md @@ -7,6 +7,8 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: Scottmca +ms.author: jdecker +ms.topic: article ms.date: 10/16/2017 --- diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index b05c06e3ef..0d4a26f5e9 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -3,12 +3,14 @@ title: Customize the OOBE for Surface deployments (Surface) description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization. ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87 keywords: deploy, customize, automate, network, Pen, pair, boot -ms.localizationpriority: high +ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: jobotto +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md index 00d28623aa..491ca43c11 100644 --- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md +++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md @@ -7,6 +7,8 @@ ms.mktglfcycl: deploy ms.pagetype: surface, store ms.sitesec: library author: miladCA +ms.author: jdecker +ms.topic: article ms.date: 09/21/2017 --- diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 0759f97b9a..d009237304 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -3,7 +3,7 @@ title: Download the latest firmware and drivers for Surface devices (Surface) description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device -ms.localizationpriority: high +ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: surface, devices @@ -11,6 +11,7 @@ ms.sitesec: library author: brecords ms.date: 12/07/2017 ms.author: jdecker +ms.topic: article --- # Download the latest firmware and drivers for Surface devices diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md index d0ec9f01fe..1f84f574f3 100644 --- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md +++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md @@ -7,6 +7,8 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: Scottmca +ms.author: jdecker +ms.topic: article ms.date: 10/16/2017 --- diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index a52eef5395..00e7dc22e0 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -8,6 +8,7 @@ ms.sitesec: library author: brecords ms.date: 01/29/2018 ms.author: jdecker +ms.topic: article --- # Deploy Surface devices @@ -18,7 +19,7 @@ Get deployment guidance for your Surface devices including information about MDT | Topic | Description | | --- | --- | -| [Windows AutoPilot and Surface devices](windows-autopilot-and-surface-devices.md) | Find out how to remotely deploy and configure devices with Windows AutoPilot. | +| [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) | Find out how to remotely deploy and configure devices with Windows Autopilot. | | [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSC edition. | | [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.| | [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. | diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md index e5e7084262..7b2265c6f4 100644 --- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md +++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md @@ -3,12 +3,14 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface) description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D keywords: network, wireless, device, deploy, authentication, protocol -ms.localizationpriority: high +ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: miladCA +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 1b21185ebd..086d18eead 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: jobotto +ms.author: jdecker +ms.topic: article ms.date: 01/06/2017 --- diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index 70a83684af..2e6455f840 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -3,12 +3,14 @@ title: Ethernet adapters and Surface deployment (Surface) description: This article provides guidance and answers to help you perform a network deployment to Surface devices. ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0 keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB -ms.localizationpriority: high +ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: jobotto +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/devices/surface/index.md b/devices/surface/index.md index e9007ff9b0..477f6aaedf 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: heatherpoulsen +ms.author: jdecker +ms.topic: article ms.date: 10/16/2017 --- diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index a4c9d85f83..8c54cb0ffd 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -6,6 +6,8 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.date: 04/25/2017 --- diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md index e25ba31621..45bf61629f 100644 --- a/devices/surface/manage-surface-dock-firmware-updates.md +++ b/devices/surface/manage-surface-dock-firmware-updates.md @@ -2,13 +2,15 @@ title: Manage Surface Dock firmware updates (Surface) description: Read about the different methods you can use to manage the process of Surface Dock firmware updates. ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F -ms.localizationpriority: high +ms.localizationpriority: medium keywords: firmware, update, install, drivers ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: jobotto +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md index 69e97eaf87..680e04d830 100644 --- a/devices/surface/manage-surface-pro-3-firmware-updates.md +++ b/devices/surface/manage-surface-pro-3-firmware-updates.md @@ -3,12 +3,14 @@ title: Manage Surface driver and firmware updates (Surface) description: This article describes the available options to manage firmware and driver updates for Surface devices. ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73 keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB -ms.localizationpriority: high +ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: jobotto +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index 4b154c0a9a..aa003e15fa 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -2,12 +2,14 @@ title: Manage Surface UEFI settings (Surface) description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings. keywords: firmware, security, features, configure, hardware -ms.localizationpriority: high +ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices, surface author: miladCA +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index b1f7c26052..9b9736af68 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -2,7 +2,7 @@ title: Microsoft Surface Data Eraser (Surface) description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10 -ms.localizationpriority: high +ms.localizationpriority: medium keywords: tool, USB, data, erase ms.prod: w10 ms.mktglfcycl: manage @@ -10,7 +10,8 @@ ms.pagetype: surface, devices, security ms.sitesec: library author: brecords ms.author: jdecker -ms.date: 02/12/2018 +ms.topic: article +ms.date: 05/15/2018 --- # Microsoft Surface Data Eraser @@ -146,6 +147,12 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### Version 3.2.58.0 +This version of Microsoft Surface Data Eraser adds support for the following: + +- • Additional storage devices (drives) for Surface Pro and Surface Laptop devices + + ### Version 3.2.46.0 This version of Microsoft Surface Data Eraser adds support for the following: diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index 631198f085..da0e607baf 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -3,13 +3,15 @@ title: Microsoft Surface Deployment Accelerator (Surface) description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4 ms.date: 07/27/2017 -ms.localizationpriority: high +ms.localizationpriority: medium keywords: deploy, install, tool ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: miladCA +ms.author: jdecker +ms.topic: article --- # Microsoft Surface Deployment Accelerator diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index 33683b5d6c..f6235d2f28 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -2,13 +2,15 @@ title: Step by step Surface Deployment Accelerator (Surface) description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032 -ms.localizationpriority: high +ms.localizationpriority: medium keywords: deploy, configure ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: miladCA +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index 3525ce34a9..2ee030e7da 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -9,6 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: kaushika-msft ms.author: jdecker +ms.topic: article ms.date: 09/08/2017 ms.localizationpriority: medium --- diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md index 0d4409c657..52bef60ccd 100644 --- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md +++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md @@ -8,6 +8,7 @@ ms.pagetype: surface, devices ms.sitesec: library author: brecords ms.author: jdecker +ms.topic: article ms.date: 01/03/2018 --- @@ -35,8 +36,7 @@ The LTSC servicing option is designed for device types and scenarios where the k >[!NOTE] >For general information about Windows servicing branches, including LTSC, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/update/waas-overview#long-term-servicing-branch). ->[!NOTE] ->As a general guideline, devices that fulfill the following criteria are considered general-purpose devices and should be paired with Windows 10 Pro or Windows 10 Enterprise using the Semi-Annual Channel servicing option: +As a general guideline, devices that fulfill the following criteria are considered general-purpose devices and should be paired with Windows 10 Pro or Windows 10 Enterprise using the Semi-Annual Channel servicing option: * Devices that run productivity software such as Microsoft Office diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 55d7b233dc..445be071c9 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -3,7 +3,7 @@ title: Microsoft Surface Dock Updater (Surface) description: This article provides a detailed walkthrough of Microsoft Surface Dock Updater. ms.assetid: 1FEFF277-F7D1-4CB4-8898-FDFE8CBE1D5C keywords: install, update, firmware -ms.localizationpriority: high +ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices @@ -11,6 +11,7 @@ ms.sitesec: library author: brecords ms.date: 02/23/2018 ms.author: jdecker +ms.topic: article --- # Microsoft Surface Dock Updater @@ -116,6 +117,14 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. +### Version 2.22.139.0 +*Release Date: 26 July 2018* + +This version of Surface Dock Updater adds support for the following: + +- Increase update reliability +- Add support for Surface Go + ### Version 2.12.136.0 *Release Date: 29 January 2018* diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index bcf6b4b60c..42df3fd641 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: jobotto +ms.author: jdecker +ms.topic: article ms.date: 01/06/2017 --- diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md index 4e8cb226f3..323624a34f 100644 --- a/devices/surface/unenroll-surface-devices-from-semm.md +++ b/devices/surface/unenroll-surface-devices-from-semm.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: jobotto +ms.author: jdecker +ms.topic: article ms.date: 01/06/2017 --- diff --git a/devices/surface/update.md b/devices/surface/update.md index 7c1b86fbb8..29e0b9517b 100644 --- a/devices/surface/update.md +++ b/devices/surface/update.md @@ -6,6 +6,8 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: heatherpoulsen +ms.author: jdecker +ms.topic: article ms.date: 12/01/2016 --- diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md index 20b66668b4..4e13cfd089 100644 --- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md +++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md @@ -7,6 +7,8 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: Scottmca +ms.author: jdecker +ms.topic: article ms.date: 10/16/2017 --- diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 9234eb04c3..73c49f7dbc 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: KiranDavane +ms.author: jdecker +ms.topic: article ms.date: 02/01/2017 --- @@ -40,7 +42,7 @@ Management of SEMM with Configuration Manager requires the installation of Micro #### Download SEMM scripts for Configuration Manager -After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) from the TechNet Gallery Script Center. +After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://www.microsoft.com/en-us/download/details.aspx?id=46703) from the Download Center. ## Deploy Microsoft Surface UEFI Manager @@ -267,7 +269,7 @@ The following code fragment, found on lines 352-363, is used to write this regis ### Settings names and IDs -To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from [SEMM management scripts for Configuration Manager](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) in the TechNet Gallery Script Center. +To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/en-us/download/details.aspx?id=46703) The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device. @@ -422,4 +424,4 @@ Removal of SEMM from a device deployed with Configuration Manager using these sc >When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken. ->For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken. \ No newline at end of file +>For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken. diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md index b65fc91fb5..75bb5c6f65 100644 --- a/devices/surface/using-the-sda-deployment-share.md +++ b/devices/surface/using-the-sda-deployment-share.md @@ -7,6 +7,8 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: Scottmca +ms.author: jdecker +ms.topic: article ms.date: 10/16/2017 --- diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md index b9d7b5d2e3..c584cc40bb 100644 --- a/devices/surface/wake-on-lan-for-surface-devices.md +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -8,6 +8,7 @@ ms.pagetype: surface, devices ms.sitesec: library author: brecords ms.author: jdecker +ms.topic: article ms.date: 01/03/2018 --- diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index d4599d8ffd..cbfbebde41 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -1,6 +1,6 @@ --- -title: Windows AutoPilot and Surface Devices (Surface) -description: Find out about Windows AutoPilot deployment options for Surface devices. +title: Windows Autopilot and Surface Devices (Surface) +description: Find out about Windows Autopilot deployment options for Surface devices. keywords: autopilot, windows 10, surface, deployment ms.prod: w10 ms.mktglfcycl: deploy @@ -9,18 +9,19 @@ ms.sitesec: library author: brecords ms.date: 01/31/2018 ms.author: jdecker +ms.topic: article --- -# Windows AutoPilot and Surface devices +# Windows Autopilot and Surface devices -Windows AutoPilot is a cloud-based deployment technology available in Windows 10. Using Windows AutoPilot, you can remotely deploy and configure devices in a truly zero-touch process right out of the box. Windows AutoPilot registered devices are identified over the internet at first boot using a unique device signature, known as the hardware hash, and automatically enrolled and configured using modern management solutions such as Azure Active Directory (AAD) and Mobile Device Management (MDM). +Windows Autopilot is a cloud-based deployment technology available in Windows 10. Using Windows Autopilot, you can remotely deploy and configure devices in a truly zero-touch process right out of the box. Windows Autopilot registered devices are identified over the internet at first boot using a unique device signature, known as the hardware hash, and automatically enrolled and configured using modern management solutions such as Azure Active Directory (AAD) and Mobile Device Management (MDM). -With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows AutoPilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process can eliminate need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution. +With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows Autopilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process can eliminate need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution. -In this article learn how to enroll your Surface devices in Windows AutoPilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows AutoPilot with other devices, or to read more about Windows AutoPilot and its capabilities, see [Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library. +In this article learn how to enroll your Surface devices in Windows Autopilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows Autopilot with other devices, or to read more about Windows Autopilot and its capabilities, see [Overview of Windows Autopilot](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library. ## Prerequisites -Enrollment of Surface devices in Windows AutoPilot with a Surface partner enabled for Windows AutoPilot has the following licensing requirements for each enrolled Surface device: +Enrollment of Surface devices in Windows Autopilot with a Surface partner enabled for Windows Autopilot has the following licensing requirements for each enrolled Surface device: * **Azure Active Directory Premium** – Required to enroll your devices in your organization and to automatically enroll devices in your organization’s mobile management solution. * **Mobile Device Management (such as Microsoft Intune)** – Required to remotely deploy applications, configure, and manage your enrolled devices. * **Office 365 ProPlus** – Required to deploy Microsoft Office to your enrolled devices. @@ -33,19 +34,23 @@ Or * Office 365 ProPlus, E3, or E5 (includes Office 365 ProPlus) >[!NOTE] ->Deployment of devices using Windows AutoPilot to complete the Out-of-Box Experience (OOBE) is supported without these prerequisites, however will yield deployed devices without applications, configuration, or enrollment in a management solution and is highly discouraged. +>Deployment of devices using Windows Autopilot to complete the Out-of-Box Experience (OOBE) is supported without these prerequisites, however will yield deployed devices without applications, configuration, or enrollment in a management solution and is highly discouraged. ### Windows version considerations -Support for broad deployments of Surface devices using Windows AutoPilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update). Windows 10 Version 1709 uses a secure 4096-bit (4k) hash value to uniquely identify devices for Windows AutoPilot that is necessary for deployments at scale. +Support for broad deployments of Surface devices using Windows Autopilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update). Windows 10 Version 1709 uses a secure 4096-bit (4k) hash value to uniquely identify devices for Windows Autopilot that is necessary for deployments at scale. ### Surface device support -Surface devices with support for out-of-box deployment with Windows AutoPilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709: +Surface devices with support for out-of-box deployment with Windows Autopilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709: * Surface Pro (Model 1796) * Surface Book 2 * Surface Laptop * Surface Studio -## Surface partners enabled for Windows AutoPilot -Enrolling Surface devices in Windows AutoPilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows AutoPilot, Azure Active Directory, and Mobile Device Management. +## Surface partners enabled for Windows Autopilot +Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management. -You can find a list of Surface partners enabled for Windows AutoPilot at the [Windows AutoPilot for Surface portal](https://www.microsoft.com/en-us/itpro/surface/windows-autopilot-for-surface). \ No newline at end of file +When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: + +- [SHI](https://www.shi.com/?reseller=shi) +- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface.html) +- [Atea](https://www.atea.com/) \ No newline at end of file diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md index 0110254868..97ddde85fb 100644 --- a/education/get-started/change-history-ms-edu-get-started.md +++ b/education/get-started/change-history-ms-edu-get-started.md @@ -2,7 +2,8 @@ title: Change history for Microsoft Education Get Started description: New and changed topics in the Microsoft Education get started guide. keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history -ms.prod: w10 +ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md index ec173a261d..caf9b51520 100644 --- a/education/get-started/configure-microsoft-store-for-education.md +++ b/education/get-started/configure-microsoft-store-for-education.md @@ -3,10 +3,11 @@ title: Configure Microsoft Store for Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu author: CelesteDG ms.author: celested diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md index 6c74c506b0..bab1e61628 100644 --- a/education/get-started/enable-microsoft-teams.md +++ b/education/get-started/enable-microsoft-teams.md @@ -3,10 +3,11 @@ title: Enable Microsoft Teams for your school description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu author: CelesteDG ms.author: celested diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md index 55a52faa11..b15394f6ac 100644 --- a/education/get-started/finish-setup-and-other-tasks.md +++ b/education/get-started/finish-setup-and-other-tasks.md @@ -3,10 +3,11 @@ title: Finish Windows 10 device setup and other tasks description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu author: CelesteDG ms.author: celested diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index 4746bcc249..39dad1f8e4 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -3,10 +3,11 @@ title: Deploy and manage a full cloud IT solution with Microsoft Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: hero-article -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu author: CelesteDG ms.author: celested diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md new file mode 100644 index 0000000000..d5a982714e --- /dev/null +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -0,0 +1,82 @@ +--- +title: Inclusive Classroom IT Admin Guide +description: Learning which Inclusive Classroom features are available in which apps and in which versions of Microsoft Office. +keywords: Inclusive Classroom, Admin, Administrator, Microsoft Intune, Intune, Ease of Access, Office 365, account +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.topic: article +ms.localizationpriority: medium +ms.pagetype: edu +ROBOTS: noindex,nofollow +author: alhughes +ms.author: alhughes +ms.date: 06/12/2018 +--- + +# Inclusive Classroom IT Admin Guide +The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Microsoft Office. +You will also learn how to deploy apps using Microsoft Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription. + +1. [Inclusive Classroom features](#features) +2. [Deploying apps with Microsoft Intune](#intune) +3. [How to show/hide the Ease of Accesss settings for text in Windows 10](#ease) +4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account) + +## Inclusive Classroom features +|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | +|---|---|---|---|---|---|---| +| Read aloud with simultaneous highlighting |

  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(N/A for Outlook PC)

|

X

(N/A for any OneNote apps or Outlook PC)

| +| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(N/A for any OneNote apps)

| +| Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access)

|

X

(N/A for Word iOS)

|

X

(N/A for Word iOS)

|

X

(N/A for any OneNote apps or Word iOS)

| +| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| +| Line focus mode |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| +| Picture Dictionary |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| +
+ +| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | +|---|---|---|---|---|---|---| +| Dictation |
  • OneNote 2016, OneNote for Windows 10
  • Word 2016
  • Outlook 2016
  • PowerPoint 2016
| |

X

|

X

| | | +| Spelling suggestions for phonetic misspellings |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

|

X

| | +| Synonyms alongside spelling suggestions that can be read aloud |
  • Word 2016
  • Outlook 2016
| |

X

|

X

|

X

| | +| Grammar checks |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | +| Customizable writing critiques |
  • Word 2016, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | +| Tell me what you want to do |
  • Office 2016
  • Office Online
  • Office on iOS, Android, Windows 10
| |

X

|

X

|

X

| | +| Editor |
  • Word 2016
| |

X

|

X

| | | +
+ +| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | +|---|---|---|---|---|---|---| +| Accessibility Checker |
  • All Office 365 authoring applications on PC, Mac, Web
| |

X

| | | | +| Accessible Templates |
  • Word for PCs, Mac
  • Excel for PCs, Mac
  • PowerPoint for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

| | | | +| Ability to add alt-text for images |
  • Word for PCs (includes automatic suggestions for image descriptions)
  • SharePoint Online (includes automatic suggestions for image descriptions)
  • PowerPoint for PCs (includes automatic suggestions for image descriptions)
  • OneNote (includes automatic extraction of text in images)
  • All Office 365 authoring applications (include ability to add alt-text manually)
| |

X

| | | | +| Ability to add captions to videos |
  • PowerPoint for PCs
  • Sway on iOS, Web, Windows 10
  • Microsoft Stream (includes ability to have captions auto-generated for videos in English and Spanish)
| |

X

| | | | +| Export as tagged PDF |
  • Word for PCs, Mac
  • Sway on iOS, Web, Windows 10
| | | | | | +| Ability to request accessible content |
  • Outlook Web Access
| | | | | | +
+ +| Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | +|---|---|---|---|---|---|---| +| Microsoft Translator |
  • Word 2016
  • Excel 2016
  • "Translator for Outlook" Add-in
  • PowerPoint 2016 (and PowerPoint Garage Add-in)
|

X

|

X

|

X

|

X

|

X

| +
+ +## Deploying apps with Microsoft Intune +Microsoft Intune can be used to deploy apps such as Immersive Reader and Microsoft Translator to all the devices connected in the same groups. +1. Go to the Intune for Education portal and log in with your account. +2. Select the **Apps** page. +3. Find the app you're looking for in the included list (if it's not there, you can select **Add app** and download it from the Microsoft Store). +4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to. + +## How to show/hide the Ease of access settings for text in Windows 10 +The Ease of access settings in Windows 10 are very useful accessibility tools, but having those options could be a bit much for everyone in a group to have in their device. With the following instructions you can chose to hide or show the Ease of access settings on users' devices. +1. Go to the Intune for Education portal and login with your account. +2. Select the **Groups** page and then select your desired group. +3. Select **Settings** and under the **User access and device settings** section you will find the toggle to set **Ease of access** to **Blocked** or **Not blocked**. +4. Select **Save** after making your selection. + +## How to change your Office 365 account from monthly, semi-annual, or yearly +Depending on how you plan to do billing, you can have Office 365 accounts that are set to renew monthly, semi-annually, or yearly. +1. Sign-in to your services and subscriptions with your Microsoft account. +2. Find the subscription in the list, then select **Change how you pay**. + >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires. +3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. \ No newline at end of file diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md index 59d939c2eb..82ee6a90cd 100644 --- a/education/get-started/set-up-office365-edu-tenant.md +++ b/education/get-started/set-up-office365-edu-tenant.md @@ -3,10 +3,11 @@ title: Set up an Office 365 Education tenant description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu author: CelesteDG ms.author: celested diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md index ac9f52c84f..5b79384b77 100644 --- a/education/get-started/set-up-windows-10-education-devices.md +++ b/education/get-started/set-up-windows-10-education-devices.md @@ -3,10 +3,11 @@ title: Set up Windows 10 education devices description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu author: CelesteDG ms.author: celested diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md index edb76d6448..ba8630edd9 100644 --- a/education/get-started/set-up-windows-education-devices.md +++ b/education/get-started/set-up-windows-education-devices.md @@ -3,10 +3,11 @@ title: Set up Windows 10 devices using Windows OOBE description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu author: CelesteDG ms.author: celested diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md index 646d7b8e16..baef903733 100644 --- a/education/get-started/use-intune-for-education.md +++ b/education/get-started/use-intune-for-education.md @@ -3,10 +3,11 @@ title: Use Intune for Education to manage groups, apps, and settings description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu author: CelesteDG ms.author: celested diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md index c5392b41b9..f880134137 100644 --- a/education/get-started/use-school-data-sync.md +++ b/education/get-started/use-school-data-sync.md @@ -3,10 +3,11 @@ title: Use School Data Sync to import student data description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu author: CelesteDG ms.author: celested diff --git a/education/index.md b/education/index.md index 4a5f5a36ba..c78b456b9e 100644 --- a/education/index.md +++ b/education/index.md @@ -6,67 +6,10 @@ description: Learn about product documentation and resources available for schoo author: CelesteDG ms.topic: hub-page ms.author: celested +ms.collection: ITAdminEDU ms.date: 10/30/2017 ---
-
- -

Microsoft Education documentation and resources

@@ -272,7 +103,7 @@ ms.date: 10/30/2017
  • - +
    @@ -282,8 +113,8 @@ ms.date: 10/30/2017
    -

    Microsoft Teams

    -

    Make the most of Microsoft Teams and find out how to deploy, launch pilot teams, and launch Teams to the rest of your organization.

    +

    3. Tools for Teachers

    +

    The latest classroom resources at teachers’ fingertips when you deploy Learning Tools, OneNote Class Notebooks, Teams, and more.

    • @@ -617,7 +448,7 @@ ms.date: 10/30/2017
  • - +
    @@ -627,8 +458,8 @@ ms.date: 10/30/2017
    -

    Microsoft Education Partner Network

    -

    Find out the latest news and announcements for Microsoft Education partners.

    +

    Microsoft Partner Network

    +

    Discover the latest news and resources for Microsoft Education products, solutions, licensing, and readiness.

    @@ -636,7 +467,7 @@ ms.date: 10/30/2017
  • - +
    @@ -646,8 +477,8 @@ ms.date: 10/30/2017
    -

    Authorized Education Partner (AEP) home page

    -

    Access the essentials and find out what it takes to become an AEP.

    +

    Authorized Education Partner (AEP) program

    +

    Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEU).

    diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index 2c4fd4b739..b9fffc43b3 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -3,10 +3,11 @@ title: Educator Trial in a Box Guide description: Need help or have a question about using Microsoft Education? Start here. keywords: support, troubleshooting, education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu ROBOTS: noindex,nofollow author: CelesteDG @@ -27,7 +28,8 @@ ms.date: 03/18/2018 | [![Launch Microsoft Teams](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?**
    Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. | | [![Open OneNote](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?**
    Open [OneNote](#edu-task4) and create an example group project for your class. | | [![Try Photos app](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?**
    Try the [Photos app](#edu-task5) to make your own example video. | -| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
    Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | +| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
    Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | +| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?**
    Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. | | | |
    @@ -43,8 +45,8 @@ ms.date: 03/18/2018 To try out the educator tasks, start by logging in as a teacher. 1. Turn on **Device A** and ensure you plug in the PC to an electrical outlet. -2. Connect to your school's Wi-Fi network or connect with a local Ethernet connection. - >**Note**: If your Wi-Fi network requires a web browser login page to connect to the Internet you should connect using the Ethernet port. If your Wi-Fi network has additional restrictions that will prevent the device from connecting to the internet without registration you should consider using Device A from a different network. +2. Connect **Device A** to your school's Wi-Fi network or connect with a local Ethernet connection using the Ethernet adapter included in this kit. + >**Note**: If your Wi-Fi network requires a web browser login page to connect to the Internet, connect using the Ethernet port. If your Wi-Fi network has additional restrictions that will prevent the device from connecting to the internet without registration, consider connecting **Device A** to a different network. 3. Log in to **Device A** using the **Teacher Username** and **Teacher Password** included in the **Credentials Sheet** located in your kit. @@ -68,13 +70,17 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse **Try this!** 1. On the **Start** menu, click the Word document titled **Design Think**. + 2. Click **Edit Document** and select **Edit in Browser**. + 3. Select the **View** menu. + 4. Select the **Immersive Reader** button. ![Word Online's Immersive Reader](images/word_online_immersive_reader.png) 5. Press the **Play** button to hear text read aloud. + 6. Select these various settings to see different ways to configure Immersive Reader for your students. | Text to Speech | Text Preferences | Grammar Options | Line Focus | @@ -101,6 +107,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub. **Try this!** 1. Take a guided tour of Microsoft Teams and test drive some teaching tasks. Open the Microsoft Edge browser and navigate to     https://msteamsdemo.azurewebsites.net. + 2. Use your school credentials provided in the **Credentials Sheet**.
    @@ -121,7 +128,9 @@ See how a group project comes together with opportunities to interact with other When you're not using the pen, just use the magnet to stick it to the left side of the screen until you need it again. 1. On the **Start** menu, click the OneNote shortcut named **Imagine Giza** to open the **Reimagine the Great Pyramid of Giza project**. + 2. Take the digital pen out of the box and make notes or draw. + 3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities. - Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling. @@ -142,7 +151,8 @@ When you're not using the pen, just use the magnet to stick it to the left side ![Inspire your students to tell their stories through video!](images/edu-tib-setp-5-jump2.png) ## 5. Engage with students by creating videos -PHOTOS APP VIDEO COMING SOON! +> [!VIDEO https://www.youtube.com/embed/Ko7XLM1VBRE] +
    The Photos app now has a built-in video editor, making it easy for you and your students to create movies using photos, video clips, music, 3D models, and special effects. Improve comprehension, unleash creativity, and capture your student’s imagination through video. @@ -150,20 +160,29 @@ The Photos app now has a built-in video editor, making it easy for you and your **Try this!** Use video to create a project summary. -1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**. -2. Open Microsoft Edge and visit http://aka.ms/PhotosTIB to download a zip file of the project media. +1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**. + +2. Open Microsoft Edge and visit http://aka.ms/PhotosTIB to download a zip file of the project media. + 3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**. + 4. In the **Start** menu, search for **Photos** or select the Photos tile to launch the app. + 5. Select the first video to preview it full screen. Select **Edit & Create**, then select **Create a video with text**. 1. If you don't see the **Edit & Create** menu, select the video and the menu will appear at the top of the screen. + 6. Name your project “Laser Maze Project.” Hit Enter to continue. + 7. Select **Add photos and videos** and then **From my collection**. Scroll to select the 6 additional videos and select **Add**. + 8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this: ![Photos app layout showing videos added in previous steps](images/photo_app_1.png) 9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**. + 10. Select the third card in the Storyboard (the video of the children assembling the maze) and select **Trim**. Drag the trim handle on the left to shorten the duration of the clip and select **Done**. + 11. Select the last card on the Storyboard and select **3D effects**. 1. Position the playback indicator to be roughly 1 second into the video clip, or when the boy moves down to examine the laser. 2. Find the **lightning bolt** effect and click or drag to add it to the scene. Rotate, scale, and position the effect so it looks like the lightning is coming out of the laser beam and hitting the black back of the mirror. @@ -176,8 +195,11 @@ Use video to create a project summary. 12. Select **Music** and select a track from the **Recommended** music collection. 1. The music will update automatically to match the length of your video project, even as you make changes. 2. If you don’t see more than a few music options, confirm that you’re connected to Wi-Fi and then close and re-open Microsoft Photos (returning to your project via the **Albums** tab). Additional music files should download in the background. + 13. You can adjust the volume for the background music using the **Music volume** button. + 14. Preview your video to see how it all came together. + 15. Select **Export or share** and select either the **Small** or **Medium** file size. You can share your video to social media, email, or another apps. Check out this use case video of the Photos team partnering with the Bureau Of Fearless Ideas in Seattle to bring the Photos app to local middle school students: https://www.youtube.com/watch?v=0dFFAu6XwPg @@ -198,24 +220,31 @@ Minecraft: Education Edition provides an immersive environment to develop creati Today, we'll explore a Minecraft world through the eyes of a student. 1. Connect the included mouse to your computer for optimal interaction. + 2. Open Microsoft Edge and visit https://aka.ms/lessonhub. + 3. Scroll down to the **Details** section and select **Download World**. ![Select the download world link](images/mcee_downloadworld.png) 4. When prompted, save the world. + 5. Enter your same teacher username and password and click **Accept**. + 6. Click **OK** on the **Minecraft: Education Edition Free Trial** box. + 7. Click **Play**. + 8. Click **Lesson Hub Vol 1** to enter the downloaded world. + 9. Explore the world by using the keys on your keyboard. * **W** moves forward. * **A** moves left. * **S** moves right. * **D** moves backward. - 10. Use your mouse as your "eyes". Just move it to look around. + 11. For a bird's eye view, double-tap the SPACE BAR. Now press the SPACE BAR to fly higher. And then hold the SHIFT key to safely land. To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram. @@ -233,6 +262,59 @@ Today, we'll explore a Minecraft world through the eyes of a student. ![Access and adapt over 300 Minecraft lesson plans](images/minecraft_lesson_plans.png)
    +
    +
    + +![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png) +## 7. Use Windows Ink to provide a personal math tutor for your students + +The **Math Assistant** and **Ink Replay** features available in the OneNote app for Windows 10 and OneNote Online give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph. + +**Let's solve 3x+4=7 in OneNote using the pen!** +To get started: +1. Open the OneNote app for Windows 10 (not OneNote 2016). + + ![OneNote icon](images/OneNote_logo.png) + +2. In the top left corner, click on the **<** arrow to access your notebooks and pages. + + ![OneNote back arrow navigation button](images/left_arrow.png) + +3. Click **Add Page** to launch a blank work space. + + ![Select add page button](images/plus-page.png) + +4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices. + +To solve the equation 3x+4=7, follow these instructions: +1. Write the equation 3x+4=7 in ink using the pen or type it in as text. + +2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse. + + ![Lasso button](images/lasso.png) + +3. On the **Draw** tab, click the **Math** button. + + ![Math button](images/math-button.png) + +4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation. + + ![Solve for x menu](images/solve-for-x.png) + +5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation. + +6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem. + + ![Replay button](images/replay.png) + +To graph the equation 3x+4=7, follow these instructions: +1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level. + + ![Graph both sides in 2D](images/graph-for-x.png) + +2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page. +
    +
    **Watch what Educators say about Microsoft Education delivering better learning outcomes** Bring out the best in students by providing a platform for collaborating, exploring, personalized learning, and getting things done across all devices. diff --git a/education/trial-in-a-box/images/Inking.png b/education/trial-in-a-box/images/Inking.png new file mode 100644 index 0000000000..b6dcb58920 Binary files /dev/null and b/education/trial-in-a-box/images/Inking.png differ diff --git a/education/trial-in-a-box/images/Math1.png b/education/trial-in-a-box/images/Math1.png new file mode 100644 index 0000000000..70891c9c29 Binary files /dev/null and b/education/trial-in-a-box/images/Math1.png differ diff --git a/education/trial-in-a-box/images/Math2.png b/education/trial-in-a-box/images/Math2.png new file mode 100644 index 0000000000..9ffd2638ac Binary files /dev/null and b/education/trial-in-a-box/images/Math2.png differ diff --git a/education/trial-in-a-box/images/OneNote_logo.png b/education/trial-in-a-box/images/OneNote_logo.png new file mode 100644 index 0000000000..9adca44e69 Binary files /dev/null and b/education/trial-in-a-box/images/OneNote_logo.png differ diff --git a/education/trial-in-a-box/images/edu-tib-setp-6-v4.png b/education/trial-in-a-box/images/edu-tib-setp-6-v4.png index c46d7861af..72393bc1ea 100644 Binary files a/education/trial-in-a-box/images/edu-tib-setp-6-v4.png and b/education/trial-in-a-box/images/edu-tib-setp-6-v4.png differ diff --git a/education/trial-in-a-box/images/edu-tib-setp-7-jump.png b/education/trial-in-a-box/images/edu-tib-setp-7-jump.png new file mode 100644 index 0000000000..1287f292b8 Binary files /dev/null and b/education/trial-in-a-box/images/edu-tib-setp-7-jump.png differ diff --git a/education/trial-in-a-box/images/edu-tib-setp-7-v1.png b/education/trial-in-a-box/images/edu-tib-setp-7-v1.png new file mode 100644 index 0000000000..78b755cf3a Binary files /dev/null and b/education/trial-in-a-box/images/edu-tib-setp-7-v1.png differ diff --git a/education/trial-in-a-box/images/graph-for-x.png b/education/trial-in-a-box/images/graph-for-x.png new file mode 100644 index 0000000000..66d1d49621 Binary files /dev/null and b/education/trial-in-a-box/images/graph-for-x.png differ diff --git a/education/trial-in-a-box/images/lasso.png b/education/trial-in-a-box/images/lasso.png new file mode 100644 index 0000000000..99da81e620 Binary files /dev/null and b/education/trial-in-a-box/images/lasso.png differ diff --git a/education/trial-in-a-box/images/left_arrow.png b/education/trial-in-a-box/images/left_arrow.png new file mode 100644 index 0000000000..5521199254 Binary files /dev/null and b/education/trial-in-a-box/images/left_arrow.png differ diff --git a/education/trial-in-a-box/images/math-button.png b/education/trial-in-a-box/images/math-button.png new file mode 100644 index 0000000000..a01e92e09a Binary files /dev/null and b/education/trial-in-a-box/images/math-button.png differ diff --git a/education/trial-in-a-box/images/plus-page.png b/education/trial-in-a-box/images/plus-page.png new file mode 100644 index 0000000000..b10bde2383 Binary files /dev/null and b/education/trial-in-a-box/images/plus-page.png differ diff --git a/education/trial-in-a-box/images/replay.png b/education/trial-in-a-box/images/replay.png new file mode 100644 index 0000000000..9826112c50 Binary files /dev/null and b/education/trial-in-a-box/images/replay.png differ diff --git a/education/trial-in-a-box/images/solve-for-x.png b/education/trial-in-a-box/images/solve-for-x.png new file mode 100644 index 0000000000..f0abd1379f Binary files /dev/null and b/education/trial-in-a-box/images/solve-for-x.png differ diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 486c9358c7..4a891bb989 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -3,10 +3,11 @@ title: Microsoft Education Trial in a Box description: For IT admins, educators, and students, discover what you can do with Microsoft 365 Education. Try it out with our Trial in a Box program. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, IT admin, educator, student, explore, Trial in a Box ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu ROBOTS: noindex,nofollow author: CelesteDG diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index a6c87bbb9a..4e15edb03d 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -3,10 +3,11 @@ title: IT Admin Trial in a Box Guide description: Try out Microsoft 365 Education to implement a full cloud infrastructure for your school, manage devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu ROBOTS: noindex,nofollow author: CelesteDG @@ -44,12 +45,13 @@ If you run into any problems while following the steps in this guide, or you hav ## 1. Log in to Device A with your IT Admin credentials and connect to the school network To try out the IT admin tasks, start by logging in as an IT admin. -1. Turn on **Device A** and ensure you plug in the PC to an electrical outlet. -2. Connect to your school's Wi-Fi network or connect with a local Ethernet connection. - >**Note**: If your Wi-Fi network requires a web browser login page to connect to the Internet you should connect using the Ethernet port. If your Wi-Fi network has additional restrictions that will prevent the device from connecting to the internet without registration you should consider using Device A from a different network. +1. Set up **Device A** first, then set up **Device B**. +2. Turn on **Device A** and ensure you plug in the PC to an electrical outlet. +3. Connect **Device A** to your school's Wi-Fi network or connect with a local Ethernet connection using the Ethernet adapter included in this kit. + >**Note**: If your Wi-Fi network requires a web browser login page to connect to the Internet, connect using the Ethernet port. If your Wi-Fi network has additional restrictions that will prevent the device from connecting to the internet without registration, consider connecting **Device A** to a different network. -3. Log in to **Device A** using the **Administrator Username** and **Administrator Password** included in the **Credentials Sheet** located in your kit. -4. Note the serial numbers on the Trial in a Box devices and register both devices with the hardware manufacturer to activate the manufacturer's warranty. +4. Log in to **Device A** using the **Administrator Username** and **Administrator Password** included in the **Credentials Sheet** located in your kit. +5. Note the serial numbers on the Trial in a Box devices and register both devices with the hardware manufacturer to activate the manufacturer's warranty.
    @@ -100,7 +102,7 @@ If you've previously used Set up School PCs to provision student devices, you ca - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in). - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data or if the student doesn't use the PC over a prolonged period. - **Let guests sign-in to these PCs** allows guests to use student PCs without a school account. If you select this option, a **Guest** account button will be added in the PC's sign-in screen to allow anyone to use the PC. - - **Enable Windows 10 Automatic Redeployment** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Windows Automatic Redeployment](https://docs.microsoft.com/en-us/education/windows/windows-automatic-redeployment). + - **Enable Windows 10 Autopilot Reset** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Autopilot Reset](https://docs.microsoft.com/en-us/education/windows/autopilot-reset). - **Lock screen background** shows the default backgroudn used for student PCs provisioned by Set up School PCs. Select **Browse** to change the default. 7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test. diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md index 9df3ab2015..20bca6a920 100644 --- a/education/trial-in-a-box/support-options.md +++ b/education/trial-in-a-box/support-options.md @@ -3,10 +3,11 @@ title: Microsoft Education Trial in a Box Support description: Need help or have a question about using Microsoft Education Trial in a Box? Start here. keywords: support, troubleshooting, education, Microsoft 365 Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: edu ROBOTS: noindex,nofollow author: CelesteDG @@ -22,7 +23,7 @@ Need help or have a question about using Microsoft Education? Start here. Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations. For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles: - + - [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games) - [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates) diff --git a/education/windows/TOC.md b/education/windows/TOC.md index a5adbaef71..5cfd544fe5 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -4,6 +4,9 @@ ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Set up Windows devices for education](set-up-windows-10.md) ### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) +#### [Azure AD Join for school PCs](set-up-school-pcs-azure-ad-join.md) +#### [Shared PC mode for school devices](set-up-school-pcs-shared-pc-mode.md) +#### [Provisioning package settings](set-up-school-pcs-provisioning-package.md) ### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) ### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) ### [Provision student PCs with apps](set-up-students-pcs-with-apps.md) @@ -11,15 +14,16 @@ ### [Set up Take a Test on a single PC](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) ### [Take a Test app technical reference](take-a-test-app-technical.md) -## [Reset devices with Windows Automatic Redeployment](windows-automatic-redeployment.md) +## [Reset devices with Autopilot Reset](autopilot-reset.md) ## [Working with Microsoft Store for Education](education-scenarios-store-for-business.md) ## [Get Minecraft: Education Edition](get-minecraft-for-education.md) ### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) ### [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-device-promotion.md) -## [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) +## [Test Windows 10 in S mode on existing Windows 10 education devices](test-windows10s-for-edu.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) -## [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) +## [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](s-mode-switch-to-edu.md) +## [Change to Windows 10 Pro Education from Windows 10 Pro](change-to-pro-education.md) ## [Chromebook migration guide](chromebook-migration-guide.md) ## [Change history for Windows 10 for Education](change-history-edu.md) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md new file mode 100644 index 0000000000..8a5441c5cc --- /dev/null +++ b/education/windows/autopilot-reset.md @@ -0,0 +1,114 @@ +--- +title: Reset devices with Autopilot Reset +description: Gives an overview of Autopilot Reset and how you can enable and use it in your schools. +keywords: Autopilot Reset, Windows 10, education +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: greg-lindsay +ms.author: celested +ms.date: 06/27/2018 +--- + +# Reset devices with Autopilot Reset +**Applies to:** + +- Windows 10, version 1709 + +IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. + +To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), you must: + +1. [Enable the policy for the feature](#enable-autopilot-reset) +2. [Trigger a reset for each device](#trigger-autopilot-reset) + +## Enable Autopilot Reset + +To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre). + +**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It is a policy node in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident. + +You can set the policy using one of these methods: + +- MDM provider + + - Autopilot Reset in Intune for Education is coming soon. In a future update of Intune for Education, new tenants will automatically have the Autopilot Reset setting enabled by default on the **All devices** group as part of initial tenant configuration. You will also be able to manage this setting to target different groups in the admin console. + - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. + + For example, in Intune, create a new configuration policy and add an OMA-URI. + - OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials + - Data type: Integer + - Value: 0 + +- Windows Configuration Designer + + You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package. + +- Set up School PCs app + + Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: + - Reach out to your device manufacturer. + - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version. + - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709. + + To use the Autopilot Reset setting in the Set up School PCs app: + * When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example: + + ![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg) + +## Trigger Autopilot Reset +Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use. + +**To trigger Autopilot Reset** + +1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**. + + ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) + + This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: + 1. Confirm/verify that the end user has the right to trigger Autopilot Reset + 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process. + + ![Custom login screen for Autopilot Reset](images/autopilot-reset-customlogin.png) + +2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset. + +>[!IMPORTANT] +>To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection. + + Once Autopilot Reset is triggered, the reset process starts. + + After reset, the device: + - Sets the region, language, and keyboard. + - Connects to Wi-Fi. + - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device. + - Is returned to a known good managed state, connected to Azure AD and MDM. + + ![Notification that provisioning is complete](images/autopilot-reset-provisioningcomplete.png) + + Once provisioning is complete, the device is again ready for use. + + +## Troubleshoot Autopilot Reset + +Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. + +To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: + +``` +reagentc /enable +``` + +If Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. + +## Related topics + +[Set up Windows devices for education](set-up-windows-10.md) + + + + + diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 0775c1d4c7..c14ad21e17 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -3,29 +3,36 @@ title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education keywords: Windows 10 education documentation, change history ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -author: CelesteDG -ms.author: celested -ms.date: 03/08/2018 +author: MikeBlodge +ms.author: MikeBlodge +ms.date: 05/07/2018 --- # Change history for Windows 10 for Education This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. +## April 2018 +New or changed topic | Description +--- | --- +[Windows 10 Pro in S mode for Education](s-mode-switch-to-edu.md) | Created a new topic on S mode for Education. | +[Change to Windows 10 Education from Windows 10 Pro](change-to-pro-education.md) | Updated sections referencing S mode. + ## March 2018 New or changed topic | Description --- | --- -[Reset devices with Windows Automatic Redeployment](windows-automatic-redeployment.md) | Added section for troubleshooting Windows Automatic Redeployment. +[Reset devices with Autopilot Reset](autopilot-reset.md) | Added section for troubleshooting Autopilot Reset. ## November 2017 | New or changed topic | Description | | --- | ---- | -| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the the list of device manufacturers. | +| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the list of device manufacturers. | | [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | | [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | | [Take a Test app technical reference](take-a-test-app-technical.md) | Added a note that the Alt+F4 key combination for enabling students to exit the test is disabled in Windows 10, version 1703 (Creators Update) and later. Also added additional info about the Ctrl+Alt+Del key combination. | @@ -34,7 +41,7 @@ New or changed topic | Description | New or changed topic | Description | | --- | ---- | -| [Reset devices with Windows Automatic Redeployment](windows-automatic-redeployment.md) | New. Learn how you can use this new feature to quickly reset student PCs from the lock screen and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use and returned to a fully configured or known IT-approved state. | +| [Reset devices with Autopilot Reset](autopilot-reset.md) | New. Learn how you can use this new feature to quickly reset student PCs from the lock screen and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use and returned to a fully configured or known IT-approved state. | | [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the *Go back to your previous edition of Windows 10* section with new information on how to work around cases where Win32 apps are blocked after switching from Windows 10 S back to your previous Windows edition. | | [Take a Test app technical reference](take-a-test-app-technical.md) | Updated. Starting with Windows 10, version 1709 (Fall Creators Update), assessments can now run in permissive mode. This mode enables students who need access to other apps, like accessibility tools, to use the apps. | @@ -71,7 +78,7 @@ New or changed topic | Description | New or changed topic | Description | | --- | ---- | -| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | +| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | | [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. | ## RELEASE: Windows 10, version 1703 (Creators Update) @@ -97,13 +104,13 @@ New or changed topic | Description | New or changed topic | Description | | --- | --- | -| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). | +| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). | ## November 2016 | New or changed topic | Description| | --- | --- | -| [Working with Microsoft Store for Business – education scenarios](education-scenarios-store-for-business.md) | New. Learn about education scenarios for Microsoft Store for Business. | +| [Working with Microsoft Store for Business – education scenarios](education-scenarios-store-for-business.md) | New. Learn about education scenarios for Microsoft Store for Business. | | [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. | | [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. | diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md new file mode 100644 index 0000000000..5a4b583f7b --- /dev/null +++ b/education/windows/change-to-pro-education.md @@ -0,0 +1,313 @@ +--- +title: Change to Windows 10 Education from Windows 10 Pro +description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. +keywords: change, free change, Windows 10 Pro to Windows 10 Pro Education, Windows 10 Pro to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: MikeBlodge +ms.author: MikeBlodge +ms.date: 04/30/2018 +--- + +# Change to Windows 10 Pro Education from Windows 10 Pro +Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. + +If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt-in to a free change to Windows 10 Pro Education depending on your scenario. +- [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](https://docs.microsoft.com/en-us/education/windows/s-mode-switch-to-edu) + +To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance. + +## Requirements for changing +Before you change to Windows 10 Pro Education, make sure you meet these requirements: +- Devices must be running Windows 10 Pro, version 1607 or higher. +- Devices must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices). + + If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses). + +- The Azure AD tenant must be recognized as an education approved tenant. +- You must have a Microsoft Store for Education account. +- The user making the changes must be a member of the Azure AD global administrator group. + +## Compare Windows 10 Pro and Pro Education editions +You can [compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10. + +For more info about Windows 10 default settings and recommendations for education customers, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). + +## Change from Windows 10 Pro to Windows 10 Pro Education + +For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free change through the Microsoft Store for Education. + +In this scenario: + +- The IT admin of the tenant chooses to turn on the change for all Azure AD joined devices. +- Any device that joins the Azure AD will change automatically to Windows 10 Pro Education. +- The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). + +See [change using Microsoft Store for Education](#change-using-microsoft-store-for-education) for details on how to do this. + +### Change using Intune for Education + +1. In Intune for Education, select **Groups** and then choose the group that you want to apply the MAK license key to. + + For example, to apply the change for all teachers, select **All Teachers** and then select **Settings**. + +2. In the settings page, find **Edition upgrade** and then: + 1. Select the edition in the **Edition to upgrade to** field + 2. Enter the MAK license key in the **Product key** field + + **Figure 1** - Enter the details for the Windows edition change + + ![Enter the details for the Windows edition change](images/i4e_editionupgrade.png) + +3. The change will automatically be applied to the group you selected. + + +### Change using Windows Configuration Designer +You can use Windows Configuration Designer to create a provisioning package that you can use to change the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package. + +1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions. +2. In the **Set up device** page, enter the MAK license key in the **Enter product key** field to change to Windows 10 Pro Education. + + **Figure 2** - Enter the license key + + ![Enter the license key to change to Windows 10 Pro Education](images/wcd_productkey.png) + +3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education. + + For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain). + + +### Change using the Activation page + +1. On the Windows device that you want to change, open the **Settings** app. +2. Select **Update & security** > **Activation**, and then click **Change product key**. +3. In the **Enter a product key** window, enter the MAK key for Windows 10 Pro Education and click **Next**. + + +## Education customers with Azure AD joined devices + +Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education without using activation keys or reboots. When one of your users enters their Azure AD credentials associated with a Windows 10 Pro Education license, the operating system changes to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have an Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features. + +When you change to Windows 10 Pro Education, you get the following benefits: + +- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. +- **Roll back options to Windows 10 Pro** + - When a user leaves the domain or you turn off the setting to automatically change to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). + - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. + + See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro) for more info. + + +### Change using Microsoft Store for Education +Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the change. The change will only apply to Windows 10 Pro devices. + +**To turn on the automatic change to Windows 10 Pro Education** + +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account. + + If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use. + +2. Click **Manage** from the top menu and then select the **Benefits tile**. +3. In the **Benefits** tile, look for the **Change to Windows 10 Pro Education for free** link and then click it. + +4. In the **Change all your devices to Windows 10 Pro Education for free** page, check box next to **I understand enabling this setting will change all domain-joined devices running Windows 10 Pro in my organization**. + + **Figure 3** - Check the box to confirm + + ![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png) + +5. Click **Change all my devices**. + + A confirmation window pops up to let you know that an email has been sent to you to enable the change. + +6. Close the confirmation window and check the email to proceed to the next step. +7. In the email, click the link to **Change to Windows 10 Pro Education**. Once you click the link, this will take you back to the Microsoft Store for Education portal. + +8. Click **Change now** in the **changing your device to Windows 10 Pro Education for free** page in the Microsoft Store. + + You will see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device. + +9. Click **Close** in the **Success** window. + +Enabling the automatic change also triggers an email message notifying all global administrators in your organization about the change. It also contains a link that enables any global administrators to cancel the change if they choose. For more info about rolling back or canceling the change, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). + + +## Explore the change experience + +So what will users experience? How will they change their devices? + +### For existing Azure AD joined devices +Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. + +### For new devices that are not Azure AD joined +Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition. + +#### Step 1: Join users’ devices to Azure AD + +Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, version 1703. + +**To join a device to Azure AD the first time the device is started** + +There are different methods you can use to join a device to Azure AD: +- For multiple devices, we recommend using the [Set up School PCs app](use-set-up-school-pcs-app.md) to create a provisioning package to quickly provision and set up Windows 10 devices for education. +- For individual devices, you can use the Set up School PCs app or go through the Windows 10 device setup experience. If you choose this option, see the following steps. + +**To join a device to Azure AD using Windows device setup** + +If the Windows device is running Windows 10, version 1703, follow these steps. + +1. During initial device setup, on the **How would you like to set up?** page, select **Set up for an organization**, and then click **Next**. + + **Figure 4** - Select how you'd like to set up the device + + ![Select how you'd like to set up the device](images/1_howtosetup.png) + +2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**. + + **Figure 5** - Enter the account details + + ![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png) + +3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription. + + +**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up** + +If the Windows device is running Windows 10, version 1703, follow these steps. + +1. Go to **Settings > Accounts > Access work or school**. + + **Figure 6** - Go to **Access work or school** in Settings + + ![Go to Access work or school in Settings](images/settings_workorschool_1.png) + +2. In **Access work or school**, click **Connect**. +3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom. + + **Figure 7** - Select the option to join the device to Azure Active Directory + + ![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png) + +4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD. +5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD. + + **Figure 8** - Verify the device connected to Azure AD + + ![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png) + + +#### Step 2: Sign in using Azure AD account + +Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device. + + +#### Step 3: Verify that Pro Education edition is enabled + +You can verify the Windows 10 Pro Education in **Settings > Update & Security > Activation**. + +**Figure 9** - Windows 10 Pro Education in Settings + +Windows 10 activated and subscription active + +If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. + +### Troubleshoot the user experience + +In some instances, users may experience problems with the Windows 10 Pro Education change. The most common problems that users may experience are as follows: + +- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) is not activated. +- The Windows 10 Pro Education change has lapsed or has been removed. + +Use the following figures to help you troubleshoot when users experience these common problems: + +**Figure 10** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education change is active. + +Windows 10 activated and subscription active

    + + +**Figure 11** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education change is active. + +Windows 10 not activated and subscription active

    + + +### Review requirements on devices + +Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. You can use the following procedures to review whether a particular device meets requirements. + +**To determine if a device is Azure AD joined** + +1. Open a command prompt and type the following: + + ``` + dsregcmd /status + ``` + +2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. + +**To determine the version of Windows 10** + +- At a command prompt, type: + + ``` + winver + ``` + + A popup window will display the Windows 10 version number and detailed OS build information. + + > [!NOTE] + > If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be changed to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license. + +### Roll back Windows 10 Pro Education to Windows 10 Pro + +If your organization has the Windows 10 Pro to Windows 10 Pro Education change enabled, and you decide to roll back to Windows 10 Pro or to cancel the change, you can do this by: + +- Logging into Microsoft Store for Education page and turning off the automatic change. +- Selecting the link to turn off the automatic change from the notification email sent to all global administrators. + +Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was changed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro. + +> [!NOTE] +> Devices that were changed from mode to Windows 10 Pro Education cannot roll back to Windows 10 Pro Education S mode. + +**To roll back Windows 10 Pro Education to Windows 10 Pro** + +1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change. +2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. +3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. + + **Figure 12** - Revert to Windows 10 Pro + + ![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png) + +4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. +5. Click **Close** in the **Success** page. + + All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic changes again, you can do this by selecting **change to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education. + + +## Preparing for deployment of Windows 10 Pro Education licenses + +If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. + +You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. + +(Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. + +**Figure 13** - On-premises AD DS integrated with Azure AD + +![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) + +For more information about integrating on-premises AD DS domains with Azure AD, see these resources: +- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) +- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) + +## Related topics + +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
    +[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
    +[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index bdc7935944..5ca42d662f 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -4,10 +4,11 @@ description: In this guide you will learn how to migrate a Google Chromebook-bas ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA keywords: migrate, automate, device, Chromebook migration ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu, devices -ms.localizationpriority: high +ms.localizationpriority: medium author: craigash ms.author: celested ms.date: 10/13/2017 diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 391f93135b..073496a0bb 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -5,8 +5,9 @@ keywords: Windows 10 deployment, recommendations, privacy settings, school, educ ms.mktglfcycl: plan ms.sitesec: library ms.prod: w10 +ms.technology: Windows ms.pagetype: edu -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 08/31/2017 @@ -20,7 +21,7 @@ ms.date: 08/31/2017 Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). -We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). +We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). In Windows 10, version 1703 (Creators Update), it is straightforward to configure Windows to be education ready. @@ -55,7 +56,7 @@ It is easy to be education ready when using Microsoft products. We recommend the 3. Enroll the PCs in MDM. * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. 4. Ensure that needed assistive technology apps can be used. - * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) for more info. + * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. 4. Distribute the PCs to students. diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md index a5fdfd4970..3b0c7b4e62 100644 --- a/education/windows/create-tests-using-microsoft-forms.md +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -2,7 +2,8 @@ title: Create tests using Microsoft Forms description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. keywords: school, Take a Test, Microsoft Forms -ms.prod: w10 +ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index af5f429e0c..b2630531e9 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -3,10 +3,11 @@ title: Deploy Windows 10 in a school district (Windows 10) description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices. keywords: configure, tools, device, school district, deploy Windows 10 ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: craigash ms.author: celested ms.date: 10/30/2017 diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index 996d28b59a..ac1eb3952d 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -3,10 +3,11 @@ title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. keywords: configure, tools, device, school, deploy Windows 10 ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: craigash ms.author: celested ms.date: 10/30/2017 diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index b9fe9e4a0e..17435853f2 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -4,11 +4,12 @@ description: Provides guidance on ways to customize the OS privacy settings, as keywords: Windows 10 deployment, recommendations, privacy settings, school ms.mktglfcycl: plan ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 10/13/2017 ms.prod: W10 +ms.technology: Windows --- # Deployment recommendations for school IT administrators @@ -19,7 +20,7 @@ ms.prod: W10 Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. Also see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) for more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search. -We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). +We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). ## Deployment best practices @@ -27,7 +28,7 @@ Keep these best practices in mind when deploying any edition of Windows 10 in sc * A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account. * If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school. * IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store. -* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) for more info. +* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. ## Windows 10 Contacts privacy settings diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index fad685b3d2..d90e41f458 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -5,12 +5,13 @@ keywords: school, Microsoft Store for Education, Microsoft education store ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium searchScope: - Store author: trudyha ms.author: trudyha ms.date: 3/30/2018 +ms.technology: Windows --- # Working with Microsoft Store for Education diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md index 5250c1f8df..6fb8b22725 100644 --- a/education/windows/get-minecraft-device-promotion.md +++ b/education/windows/get-minecraft-device-promotion.md @@ -5,12 +5,13 @@ keywords: school, Minecraft, education edition ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: trudyha searchScope: - Store ms.author: trudyha -ms.date: 07/27/2017 +ms.date: 06/05/2018 +ms.technology: Windows --- # Get Minecraft: Education Edition with Windows 10 device promotion @@ -19,6 +20,19 @@ ms.date: 07/27/2017 - Windows 10 +The **Minecraft: Education Edition** with Windows 10 device promotion ended January 31, 2018. + +Qualifying customers that received one-year subscriptions for Minecraft: Education Edition as part of this program and wish to continue using the game in their schools can purchase new subscriptions in Microsoft Store for Education. +For more information on purchasing Minecraft: Education Edition, see [Add Minecraft to your Store for Education](https://docs.microsoft.com/education/windows/school-get-minecraft?toc=/microsoft-store/education/toc.json). + +>[!Note] +>**Minecraft: Education Edition** with Windows 10 device promotion subscriptions are valid for 1 year from the time +of redemption. At the end of 1 year, the promotional subscriptions will expire and any people using these subscriptions will be reverted to a trial license of **Minecraft: Education Edition**. + +To prevent being reverted to a trial license, admins or teachers need to purchase new **Minecraft: Education Edition** subscriptions from Store for Education, and assign licenses to users who used a promotional subscription. + + + \ No newline at end of file diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 1abe2df826..11aeea97ed 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -5,12 +5,14 @@ keywords: school, Minecraft, education edition ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: trudyha searchScope: - Store ms.author: trudyha ms.date: 07/27/2017 +ms.technology: Windows +ms.topic: conceptual --- # Get Minecraft: Education Edition @@ -22,7 +24,7 @@ ms.date: 07/27/2017 [Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. - + Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. diff --git a/education/windows/images/windows-automatic-redeployment-customlogin.png b/education/windows/images/autopilot-reset-customlogin.png similarity index 100% rename from education/windows/images/windows-automatic-redeployment-customlogin.png rename to education/windows/images/autopilot-reset-customlogin.png diff --git a/education/windows/images/windows-automatic-redeployment-lockscreen.png b/education/windows/images/autopilot-reset-lockscreen.png similarity index 100% rename from education/windows/images/windows-automatic-redeployment-lockscreen.png rename to education/windows/images/autopilot-reset-lockscreen.png diff --git a/education/windows/images/windows-automatic-redeployment-provisioningcomplete.png b/education/windows/images/autopilot-reset-provisioningcomplete.png similarity index 100% rename from education/windows/images/windows-automatic-redeployment-provisioningcomplete.png rename to education/windows/images/autopilot-reset-provisioningcomplete.png diff --git a/education/windows/images/suspc-add-recommended-apps-1807.png b/education/windows/images/suspc-add-recommended-apps-1807.png new file mode 100644 index 0000000000..61a674e363 Binary files /dev/null and b/education/windows/images/suspc-add-recommended-apps-1807.png differ diff --git a/education/windows/images/suspc-admin-token-delete-1807.png b/education/windows/images/suspc-admin-token-delete-1807.png new file mode 100644 index 0000000000..0656dbb899 Binary files /dev/null and b/education/windows/images/suspc-admin-token-delete-1807.png differ diff --git a/education/windows/images/suspc-assessment-url-1807.png b/education/windows/images/suspc-assessment-url-1807.png new file mode 100644 index 0000000000..c799e26271 Binary files /dev/null and b/education/windows/images/suspc-assessment-url-1807.png differ diff --git a/education/windows/images/suspc-available-student-settings-1807.png b/education/windows/images/suspc-available-student-settings-1807.png new file mode 100644 index 0000000000..d39fc2ceba Binary files /dev/null and b/education/windows/images/suspc-available-student-settings-1807.png differ diff --git a/education/windows/images/suspc-configure-student-settings-1807.png b/education/windows/images/suspc-configure-student-settings-1807.png new file mode 100644 index 0000000000..553fb4d689 Binary files /dev/null and b/education/windows/images/suspc-configure-student-settings-1807.png differ diff --git a/education/windows/images/suspc-createpackage-signin-1807.png b/education/windows/images/suspc-createpackage-signin-1807.png new file mode 100644 index 0000000000..7a80f5c751 Binary files /dev/null and b/education/windows/images/suspc-createpackage-signin-1807.png differ diff --git a/education/windows/images/suspc-createpackage-summary-1807.png b/education/windows/images/suspc-createpackage-summary-1807.png new file mode 100644 index 0000000000..e78ac67856 Binary files /dev/null and b/education/windows/images/suspc-createpackage-summary-1807.png differ diff --git a/education/windows/images/suspc-current-os-version-1807.png b/education/windows/images/suspc-current-os-version-1807.png new file mode 100644 index 0000000000..bc2ba6a08d Binary files /dev/null and b/education/windows/images/suspc-current-os-version-1807.png differ diff --git a/education/windows/images/suspc-current-os-version-next-1807.png b/education/windows/images/suspc-current-os-version-next-1807.png new file mode 100644 index 0000000000..a0b6632bd3 Binary files /dev/null and b/education/windows/images/suspc-current-os-version-next-1807.png differ diff --git a/education/windows/images/suspc-device-names-1807.png b/education/windows/images/suspc-device-names-1807.png new file mode 100644 index 0000000000..f3ad674b99 Binary files /dev/null and b/education/windows/images/suspc-device-names-1807.png differ diff --git a/education/windows/images/suspc-enable-shared-pc-1807.png b/education/windows/images/suspc-enable-shared-pc-1807.png new file mode 100644 index 0000000000..52fb68f830 Binary files /dev/null and b/education/windows/images/suspc-enable-shared-pc-1807.png differ diff --git a/education/windows/images/suspc-savepackage-insertusb-1807.png b/education/windows/images/suspc-savepackage-insertusb-1807.png new file mode 100644 index 0000000000..cd75795863 Binary files /dev/null and b/education/windows/images/suspc-savepackage-insertusb-1807.png differ diff --git a/education/windows/images/suspc-savepackage-ppkgisready-1807.png b/education/windows/images/suspc-savepackage-ppkgisready-1807.png new file mode 100644 index 0000000000..fd82b1e50b Binary files /dev/null and b/education/windows/images/suspc-savepackage-ppkgisready-1807.png differ diff --git a/education/windows/images/suspc-select-wifi-1807.png b/education/windows/images/suspc-select-wifi-1807.png new file mode 100644 index 0000000000..c8b94d6aad Binary files /dev/null and b/education/windows/images/suspc-select-wifi-1807.png differ diff --git a/education/windows/images/suspc-select-wifi-network-1807.png b/education/windows/images/suspc-select-wifi-network-1807.png new file mode 100644 index 0000000000..5a362daaa0 Binary files /dev/null and b/education/windows/images/suspc-select-wifi-network-1807.png differ diff --git a/education/windows/images/suspc-sign-in-select-1807.png b/education/windows/images/suspc-sign-in-select-1807.png new file mode 100644 index 0000000000..abffbec690 Binary files /dev/null and b/education/windows/images/suspc-sign-in-select-1807.png differ diff --git a/education/windows/images/suspc-take-a-test-1807.png b/education/windows/images/suspc-take-a-test-1807.png new file mode 100644 index 0000000000..ea6295658f Binary files /dev/null and b/education/windows/images/suspc-take-a-test-1807.png differ diff --git a/education/windows/images/suspc-take-a-test-app-1807.png b/education/windows/images/suspc-take-a-test-app-1807.png new file mode 100644 index 0000000000..9d6c503f3c Binary files /dev/null and b/education/windows/images/suspc-take-a-test-app-1807.png differ diff --git a/education/windows/images/suspc-time-zone-1807.png b/education/windows/images/suspc-time-zone-1807.png new file mode 100644 index 0000000000..274e411a4d Binary files /dev/null and b/education/windows/images/suspc-time-zone-1807.png differ diff --git a/education/windows/images/suspc-wifi-network-1807.png b/education/windows/images/suspc-wifi-network-1807.png new file mode 100644 index 0000000000..6e03d35363 Binary files /dev/null and b/education/windows/images/suspc-wifi-network-1807.png differ diff --git a/education/windows/index.md b/education/windows/index.md index 80955b020d..6e21549be3 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -3,10 +3,11 @@ title: Windows 10 for Education (Windows 10) description: Learn how to use Windows 10 in schools. keywords: Windows 10, education ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 10/13/2017 @@ -21,15 +22,6 @@ ms.date: 10/13/2017

    [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
    Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.

    [Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
    Find out more about the features and functionality we support in each edition of Windows.

    [Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
    When you've made your decision, find out how to buy Windows for your school.

    -

    How-to videos
    -

    -

    ## ![Plan for Windows 10 in your school](images/clipboard.png) Plan @@ -48,7 +40,7 @@ ms.date: 10/13/2017 ## ![Switch to Windows 10 for Education](images/windows.png) Switch -

    [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
    If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.

    +

    [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
    If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.

    ## Windows 8.1 diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md new file mode 100644 index 0000000000..1dca2c3783 --- /dev/null +++ b/education/windows/s-mode-switch-to-edu.md @@ -0,0 +1,72 @@ +--- +title: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode +description: Switching out of Windows 10 Pro in S mode to Windows 10 Pro Education in S mode. The S mode switch documentation describes the requirements and process for Switching to Windows 10 Pro Education in S mode. +keywords: Windows 10 S switch, S mode Switch, switch in S mode, Switch S mode, Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.prod: w10 +ms.technology: Windows +ms.sitesec: library +ms.pagetype: edu +ms.date: 04/30/2018 +author: Mikeblodge +--- + +# Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode +The S mode switch motion enables users to switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode. This gives users access to the Microsoft Store for Education as well as other Education offers. + +## Benefits of Windows 10 Pro in S mode for Education + +S mode is an enhanced security mode of Windows 10 – streamlined for security and superior performance. With Windows 10 in S mode, everyone can download and install Microsoft-verified apps from the Microsoft Store for Education – this keep devices running fast and secure day in and day out. + +- **Microsoft-verified security** - It reduces risk of malware and exploitations that harm students and educators, because only Microsoft-verified apps can be installed. +- **Performance that lasts** - Provides all-day battery life to keep students on task and not tripping over cords. Also, verified apps won’t degrade device performance over time. +- **Streamlined for Speed** - Offers faster log-in times so teachers spend less time waiting and more time teaching. + + +| |Home |S mode |Pro/Pro Education |Enterprise/Education | +|---------|:---:|:---:|:---:|:---:| +|Start Menu/Hello/Cortana/
    Windows Ink/Microsoft Edge | X | X | X | X | +|Store apps (including Windows
    desktop bridge apps) | X | X | X | X | +|Windows Update | X | X | X | X | +|Device Encryption | X | X | X | X | +|BitLocker | | X | X | X | +|Windows Update for Business | | X | X | X | +|Microsoft Store for Education | | X | X | X | +|Mobile Device Management
    and Azure AD join | | X | X | X | +|Group Policy management and
    Active Directory Domain Services | | | X | X | +|Desktop (Windows 32) Apps | X | | X | X | +|Change App Defaults
    Search/Browser/Photos/etc. | X | | X | X | +|Credential Guard | | | | X | +|Device Guard | | | | X | + +### Windows 10 in S mode is safe, secure, and fast. +However, in some limited scenarios, you might need to switch to Windows 10 Education. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store. + +## How to switch + +### Devices running Windows 10, version 1803 + +**Switch using the Microsoft Store for Education**
    +There are two switch options available using the Microsoft Store for Education: + +Tenant-wide Windows 10 Pro in S mode > Pro Education in S mode
    +Tenant-wide Windows 10 Pro > Pro Education + +> [!IMPORTANT] +> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. + +### Devices running Windows 10, version 1709 + +1. **Bulk switch through Microsoft Store for Education** - In this scenario, the global admin for the Azure AD education tenant can use Microsoft Store to switch all Windows 10 Pro in S mode devices on the tenant to Windows 10 Pro Education. (Devices running Windows 10, version 1803 will switch to Windows 10 Pro EDU in S mode.) + +2. **Key acquisition options** - For schools with **active Microsoft Volume Licensing** agreements, global admins can obtain free MAK keys for Windows 10 Pro Education. For schools without an active Microsoft Volume Licensing agreement, the global admin can contact CSS, fill out a form and provide a proof of purchase to receive MAK keys for Windows 10 Pro Education. + +> [!NOTE] +> There is currently no "bulk-switch" option for devices running Windows 10, version 1803. + +## Related Topics +[FAQs](https://support.microsoft.com/en-us/help/4020089/windows-10-in-s-mode-faq)
    +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
    +[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
    +[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) \ No newline at end of file diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index f0c3df0aea..d2daacd44e 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -5,12 +5,14 @@ keywords: Minecraft, Education Edition, IT admins, acquire ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: trudyha searchScope: - Store ms.author: trudyha ms.date: 1/5/2018 +ms.technology: Windows +ms.topic: conceptual --- # For IT administrators - get Minecraft: Education Edition diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md new file mode 100644 index 0000000000..16b59b9799 --- /dev/null +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -0,0 +1,95 @@ +--- +title: Azure AD Join with Setup School PCs app +description: Describes how Azure AD Join is configured in the Set up School PCs app. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/13/2018 +--- + +# Azure AD Join for school PCs + +> [!NOTE] +> Set up School PCs app uses Azure AD Join to configure PCs. The app is helpful if you use the cloud based directory, Azure Active Directory (AD). If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration +> Designer](set-up-students-pcs-to-join-domain.md) to +> join your PCs to your school's domain. + +Set up School PCs lets you create a provisioning package that automates Azure AD +Join on your devices. This feature eliminates the need to manually: + +- Connect to your school’s network. + +- Join your organization's domain. + +## Automated connection to school domain + +During initial device setup, Azure AD Join automatically connects your PCs to your school's Azure AD domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup. + +Students who sign in to their PCs with their Azure AD credentials get access to on-premises apps and the following cloud apps: +* Office 365 +* OneDrive +* OneNote. + +## Enable Azure AD Join + +Learn how to enable Azure AD Join for your school. After you configure this setting, you'll be able to request an automated Azure AD bulk token, which you need to create a provisioning package. + +1. Sign in to the Azure portal with your organization's credentials. +2. Go to **Azure +Active Directory** \> **Devices** \> **Device settings**. +3. Enable the setting +for Azure AD by selecting **All** or **Selected**. If you choose the latter +option, select the teachers and IT staff to allow them to connect to Azure AD. + +![Select the users you want to let join devices to Azure AD](images/suspc-enable-shared-pc-1807.png) + +You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff. + +## All Device Settings + +The following table describes each setting within **Device Settings**. + +| Setting | Description | +|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Users may join devices to Azure AD | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. | +| Additional local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant additional local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. | +| Users may register their devices with Azure AD | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you are enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. | +| Require Multi-Factor Authentication to join devices | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication. | +| Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before additional ones are added. | +| Users may sync settings and enterprise app data | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Azure AD Premium are permitted to select specific users to allow. | + +## Clear Azure AD tokens + +Your Intune tenant can only have 500 active Azure AD tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens. + +To reduce your inventory, clear out all unnecessary and inactive tokens. +1. Go to **Azure Active Directory** \> **Users** \> **All users** +2. In the **User Name** column, select and delete all accounts with a **package\ _** +prefix. These accounts are created at a 1:1 ratio for every token and are safe +to delete. +3. Select and delete inactive and expired user accounts. + +### How do I know if my package expired? +Automated Azure AD tokens expire after 30 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts. + +![Screenshot of the Azure portal, Azure Active Directory, All Users page. Highlights all accounts that start with the prefix package_ and can be deleted.](images/suspc-admin-token-delete-1807.png) + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md new file mode 100644 index 0000000000..16b671865d --- /dev/null +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -0,0 +1,122 @@ +--- +title: What's in Set up School PCs provisioning package +description: Lists the provisioning package settings that are configured in the Set up School PCs app. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/13/2018 +--- + +# What's in my provisioning package? +The Set up School PCs app builds a specialized provisioning package with school-optimized settings. + +A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx) article. + +## Shared PC Mode policies +This table outlines the policies applied to devices in shared PC mode. If you [selected to optimize a device for use by a single student](set-up-school-pcs-shared-pc-mode.md#optimize-device-for-use-by-a-single-student), the table notes the differences. Specifically, you'll see differences in the following policies: +* Disk level deletion +* Inactive threshold +* Restrict local storage + +In the table, *True* means that the setting is enabled, allowed, or applied. Use the **Description** column to help you understand the context for each setting. + +For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode). + +|Policy name|Default value|Description| +|---------|---------|---------| +|Enable Shared PC mode|True| Configures the PCs so they are in shared PC mode.| +|Set education policies | True | School-optimized settings are applied to the PCs so that they are appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education). | +|Account Model| Only guest, Domain-joined only, or Domain-joined and guest |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. | +|Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they have not signed in within the number of days specified by inactive threshold policy. | +|Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | +|Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and does not delete accounts. | +|Enable account manager | True | Enables automatic account management. | +|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account has not signed in, it will be deleted. +|Kiosk Mode AMUID | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | +|Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | +|Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy does not prevent students from saving on the PCs local hard drive. | +|Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | +|Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.| +|Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | +|Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. | +|Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. | + +## MDM and local group policies +This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app. + +For a more detailed look of each policy listed, see [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation. + + +|Policy name |Default value |Description | +|---------|---------|---------| +|Authority|User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. +|BPRT|User-defined| Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. | +|WLAN Setting| XML is generated from the Wi-Fi profile in the Set up School PCs app.| Configures settings for wireless connectivity.| +|Hide OOBE for desktop| True | Hides the interactive OOBE flow for Windows 10.| +|Download Mode|1 - HTTP blended with peering behind the same NAT|Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates| +|Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel| Specifies how frequently devices receive preview builds and feature updates.| +|Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user.| +|Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates.| +|Update power policy for cart restarts | 1 - Configured| Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | +|Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days.| +|Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device | +|Allow developer unlock | Disabled | Students cannot unlock the PC and use it in developer mode | +|Allow Cortana | Disabled | Cortana is not allowed on the device. +|Allow manual MDM unenrollment | Disabled | Students cannot remove the mobile device manager from their device. | +|Settings page visibility|Enabled |Specific pages in the System Settings app are not visible or accessible to students.| +|Allow add provisioning package | Disabled | Students cannot add and upload new provisioning packages to their device. | +|Allow remove provisioning package | Disabled | Students cannot remove packages that you've uploaded to their device, including the Set up School PCs app | +|Start Layout|Enabled |Lets you specify the Start layout for users and prevents them from changing the configuration.| +|Import Edge Assets| Enabled| Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files.| +|Allow pinned folder downloads|1 - The shortcut is visible and disables the setting in the Settings app |Makes the Downloads shortcut on the Start menu visible to students.| +|Allow pinned folder File Explorer|1 - The shortcut is visible and disables the setting in the Settings app |Makes the File Explorer shortcut on the Start menu visible to students.| +|Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | Deploys a jpg, jpeg, or png image to be used as lock screen image on the device. +|Personalization| Lock screen image URL| Image filename| You can specify a jpg, jpeg, or png image to be used as the device lock screen image. This setting can take an http or https URL to a remote image to be downloaded, or a file URLto an existing local image. +|Update|Active hours end | 5 PM | There will be no update reboots before this time. | +|Update|Active hours start | 7 AM | There will be no update reboots after this time. | +|Updates Windows | Nightly | Sets Windows to update on a nightly basis. | + +## Apps uninstalled from Windows 10 devices +Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device. The following table lists all apps uninstalled from Windows 10 devices. + + +|App name |Application User Model ID | +|---------|---------| +|3D Builder | Microsoft.3DBuilder_8wekyb3d8bbwe | +|Bing Weather | Microsoft.BingWeather_8wekyb3d8bbwe | +|Desktop App Installer|Microsoft.DesktopAppInstaller_8wekyb3d8bbwe| +|Get Started | Microsoft.Getstarted_8wekyb3d8bbw | +|Messaging|Microsoft.Messaging_8wekyb3d8bbwe +|Microsoft Office Hub| Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe | +|Microsoft Solitaire Collection | Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe | +|One Connect|Microsoft.OneConnect_8wekyb3d8bbwe| +|Paid Wi-Fi & Cellular | Microsoft.OneConnect_8wekyb3d8bbwe | +|Feedback Hub | Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe | +|Xbox | Microsoft.XboxApp_8wekyb3d8bbwe | +|Mail/Calendar | microsoft.windowscommunicationsapps_8wekyb3d8bbwe| + +## Apps installed on Windows 10 devices +Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. Apps that are installed include: +* OneDrive +* OneNote +* Sway + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md new file mode 100644 index 0000000000..acebeccc44 --- /dev/null +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -0,0 +1,80 @@ +--- +title: Shared PC mode for school devices +description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/13/2018 +--- + +# Shared PC mode for school devices + +Shared PC mode optimizes Windows 10 for shared use scenarios, such as classrooms and school libraries. A Windows 10 PC in shared PC mode requires minimal to zero maintenance and management. Update settings are optimized for classroom settings, so that they automatically occur outside of school hours. + +Shared PC mode can be applied on devices running: +* Windows 10 Pro +* Windows 10 Pro Education +* Windows 10 Education +* Windows 10 Enterprise + +To learn more about how to set up a device in shared PC mode, see [Set up a shared or guest PC with Windows 10](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc). + +## Windows Updates +Shared PC mode configures power and Windows Update settings so that computers update regularly. Computers that are set up through the Set up School PCs app are configured to: +* Wake nightly. +* Check for and install updates. +* Forcibly reboot, when necessary, to complete updates. + +These configurations reduce the need to update and reboot computers during daytime work hours. Notifications about needed updates are also blocked from disrupting students. + +## Default admin accounts in Azure Active Directory +By default, the account that joins your computer to Azure AD will be given admin permissions on the computer. Global administrators in the joined Azure AD domain will also have admin permissions when signed in to the joined computer. + +An Azure AD Premium subscription lets you specify the accounts that get admin accounts on a computer. These accounts are configured in Intune in the Azure portal. + +## Account deletion policies +This section describes the deletion behavior for the accounts configured in shared PC mode. A delete policy makes sure that outdated or stale accounts are regularly removed to make room for new accounts. + +### Azure AD accounts + +The default deletion policy is set to automatically cache accounts. Cached accounts are automatically deleted when disk space gets too low, or when there's an extended period of inactivity. Accounts continue to delete until the computer reclaims sufficient disk space. Deletion policies behave the same for Azure AD and Active Directory domain accounts. + +### Guest and Kiosk accounts +Guest accounts and accounts created through Kiosk are deleted after they sign out of their account. + +### Local accounts +Local accounts that you created before enabling shared PC mode aren't deleted. Local accounts that you create through the following path, after enabling PC mode, are not deleted: **Settings** app > **Accounts** > **Other people** > **Add someone** + +## Create custom Windows images +Shared PC mode is compatible with custom Windows images. + +To create a compatible image, first create your custom Windows image with all software, updates, and drivers. Then use the System Preparation (Sysprep) tool with the `/oobe` flag to create the SharedPC-compatible version. For example, `sysrep/oobe`. + +Teachers can then run the Set up School PCs package on the computer. + +## Optimize device for use by a single student +Shared PC mode is enabled by default. This mode optimizes device settings for schools where PCs are shared by students. The Set up School PCs app also offers the option to configure settings for devices that aren't shared. + +If you select this setting, the app modifies shared PC mode so that it's appropriate for a single device. To see how the settings differ, refer to the Shared PC mode policy table in the article [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) +1. In the app, go to the **Create package** > **Settings** step. +2. Select **Optimize device for a single student, instead of a shared cart or lab**. + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 8164b32aca..b23242412b 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -1,308 +1,81 @@ --- -title: Set up School PCs app technical reference -description: Describes the changes that the Set up School PCs app makes to a PC. +title: Set up School PCs app technical reference overview +description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high -author: CelesteDG -ms.author: celested -ms.date: 04/04/2018 +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 07/11/2018 --- -# Technical reference for the Set up School PCs app +What is Set up School PCs? +================================================= + **Applies to:** -- Windows 10 +- Windows 10 + +The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The +app, which is available for Windows 10 version 1703 and later, configures and saves +school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity. + + +## Join PC to Azure Active Directory +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app creates a setup file that joins your PC to your Azure Active +Directory tenant. + +The app also helps set up PCs for use with or without Internet connectivity. + +## List of Set up School PCs features +The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------| +| **Fast sign-in** | X | X | X | X | +| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | | +| **Custom Start experience** | X | X | X | X | +| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | | +| **Guest account, no sign-in required** | X | X | X | X | +| Set up computers for use by anyone with or without an account. | | | | | +| **School policies** | X | X | X | X | +| Settings create a relevant, useful learning environment and optimal computer performance. | | | | | +| **Azure AD Join** | | X | X | X | +| Computers join with your existing Azure AD or Office 365 subscription for centralized management. | | | | | +| **Single sign-on to Office 365** | | | X | X | +| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | +| **Take a Test app** | | | | X | +| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | +| [Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X | +| Synchronize student and application data across devices for a personalized experience. | | | | | + +> [!NOTE] +> If your school uses Active Directory, use [Windows Configuration +> Designer](set-up-students-pcs-to-join-domain.md) +> to configure your PCs to join the domain. You can only use the Set up School +> PCs app to set up PCs that are connected to Azure AD. -The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic. +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + -If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity. - -Here's a list of what you get when using the Set up School PCs app in your school. - -| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | -| --- | :---: | :---: | :---: | :---: | -| **Fast sign-in**
    Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X | -| **Custom Start experience**
    The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X | -| **Guest account, no sign-in required**
    This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X | -| **School policies**
    Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X | -| **Azure AD Join**
    The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X | -| **Single sign-on to Office 365**
    By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X | -| **Take a Test**
    Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X | -| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
    Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X | - - -> [!NOTE] -> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD. - -## Automated Azure AD join -One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated. - -To make this as seamless as possible, in your Azure AD tenant: -- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD. - - **Figure 1** - Select the users you want to enable to join devices to Azure AD - - ![Select the users you want to enable to join devices to Azure AD](images/azuread_usersandgroups_devicesettings_usersmayjoin.png) - -- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff. - - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app. - - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student. - -- Turn off multifactor authentication. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**. - - **Figure 2** - Turn off multi-factor authentication in Azure AD - - ![Turn off multi-factor authentication in Azure AD](images/azuread_usersandgroups_devicesettings_requiremultifactorauth.png) - -- Set the maximum number of devices a user can add to unlimited. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**. - - **Figure 3** - Set maximum number of devices per user to unlimited - - ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png) - -- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time. - - In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. - - **Figure 4** - Delete the accounts automatically created for the Azure AD tokens - - ![Delete the accounts automatically created for the Azure AD tokens](images/azuread_usersandgroups_allusers_automaticaccounts.png) - -- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs. - - **Figure 5** - Sample summary page showing the expiration date - - ![Sample summary page showing the expiration date](images/suspc_choosesettings_summary.png) - - - - - -## Information about Windows Update - -Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to: -* Wake nightly -* Check and install updates -* Forcibly reboot if necessary to finish applying updates - -The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked. - -## Guidance for accounts on shared PCs - -* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. -* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out. -* On a Windows PC joined to Azure Active Directory: - * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. - * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out. -* If admin accounts are necessary on the PC - * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or - * Create admin accounts before setting up shared PC mode, or - * Create exempt accounts before signing out. -* The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. - * To add the account SID to the registry key using PowerShell: - - ``` - $adminName = "LocalAdmin" - $adminPass = 'Pa$$word123' - iex "net user /add $adminName $adminPass" - $user = New-Object System.Security.Principal.NTAccount($adminName) - $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) - $sid = $sid.Value; - New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force - ``` - -## Custom images -Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx). - -## Provisioning package details - -The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx). - -### Education customizations set by local MDM policy - -- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud. -- A custom Start layout, taskbar layout, and lock screen image are set. -- Prohibits unlocking the PC to developer mode. -- Prohibits untrusted Microsoft Store apps from being installed. -- Prohibits students from removing MDM. -- Prohibits students from adding new provisioning packages. -- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs). -- Sets Windows Update to update nightly. - - -### Uninstalled apps - -- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe) -- Weather (Microsoft.BingWeather_8wekyb3d8bbwe) -- Tips (Microsoft.Getstarted_8wekyb3d8bbwe) -- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) -- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) -- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe) -- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) -- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe) -- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe) - -### Local Group Policies - -> [!IMPORTANT] -> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Policy path

    Policy name

    Value

    Admin Templates > Control Panel > Personalization

    Prevent enabling lock screen slide show

    Enabled

    Prevent changing lock screen and logon image

    Enabled

    Admin Templates > System > Power Management > Button Settings

    Select the Power button action (plugged in)

    Sleep

    Select the Power button action (on battery)

    Sleep

    Select the Sleep button action (plugged in)

    Sleep

    Select the lid switch action (plugged in)

    Sleep

    Select the lid switch action (on battery)

    Sleep

    Admin Templates > System > Power Management > Sleep Settings

    Require a password when a computer wakes (plugged in)

    Enabled

    Require a password when a computer wakes (on battery)

    Enabled

    Specify the system sleep timeout (plugged in)

    5 minutes

    Specify the system sleep timeout (on battery)

    5 minutes

    Turn off hybrid sleep (plugged in)

    Enabled

    Turn off hybrid sleep (on battery)

    Enabled

    Specify the unattended sleep timeout (plugged in)

    5 minutes

    Specify the unattended sleep timeout (on battery)

    5 minutes

    Allow standby states (S1-S3) when sleeping (plugged in)

    Enabled

    Allow standby states (S1-S3) when sleeping (on battery)

    Enabled

    Specify the system hibernate timeout (plugged in)

    Enabled, 0

    Specify the system hibernate timeout (on battery)

    Enabled, 0

    Admin Templates>System>Power Management>Video and Display Settings

    Turn off the display (plugged in)

    5 minutes

    Turn off the display (on battery)

    5 minutes

    Admin Templates>System>Power Management>Energy Saver Settings

    Energy Saver Battery Threshold (on battery)

    70

    Admin Templates>System>Logon

    Show first sign-in animation

    Disabled

    Hide entry points for Fast User Switching

    Enabled

    Turn on convenience PIN sign-in

    Disabled

    Turn off picture password sign-in

    Enabled

    Turn off app notification on the lock screen

    Enabled

    Allow users to select when a password is required when resuming from connected standby

    Disabled

    Block user from showing account details on sign-in

    Enabled

    Admin Templates>System>User Profiles

    Turn off the advertising ID

    Enabled

    Admin Templates>Windows Components>Biometrics

    Allow the use of biometrics

    Disabled

    Allow users to log on using biometrics

    Disabled

    Allow domain users to log on using biometrics

    Disabled

    Admin Templates>Windows Components>Cloud Content

    Do not show Windows Tips

    Enabled

    Turn off Microsoft consumer experiences

    Enabled

    Admin Templates>Windows Components>Data Collection and Preview Builds

    Toggle user control over Insider builds

    Disabled

    Disable pre-release features or settings

    Disabled

    Do not show feedback notifications

    Enabled

    Allow Telemetry

    Basic, 0

    Admin Templates > Windows Components > File Explorer

    Show lock in the user tile menu

    Disabled

    Admin Templates > Windows Components > Maintenance Scheduler

    Automatic Maintenance Activation Boundary

    *MaintenanceStartTime*

    Automatic Maintenance Random Delay

    Enabled, 2 hours

    Automatic Maintenance WakeUp Policy

    Enabled

    Admin Templates > Windows Components > OneDrive

    Prevent the usage of OneDrive for file storage

    Enabled

    Admin Templates > Windows Components > Windows Hello for Business

    Use phone sign-in

    Disabled

    Use Windows Hello for Business

    Disabled

    Use biometrics

    Disabled

    Windows Settings > Security Settings > Local Policies > Security Options

    Accounts: Block Microsoft accounts

    **Note** Microsoft accounts can still be used in apps.

    Enabled

    Interactive logon: Do not display last user name

    Enabled

    Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

    Disabled

    User Account Control: Behavior of the elevation prompt for standard users

    Auto deny


    - -## Use the app -When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). - -## Related topics - -[Set up Windows devices for education](set-up-windows-10.md) diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 76079be7ff..35a9fc88f6 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -3,9 +3,10 @@ title: Set up student PCs to join domain description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: school, student PC setup, Windows Configuration Designer ms.prod: W10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 07/27/2017 diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 80bc4c8bfe..225541c3e4 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -3,10 +3,11 @@ title: Provision student PCs with apps description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer ms.prod: w10 +ms.technology: Windows ms.pagetype: edu ms.mktglfcycl: plan ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 10/13/2017 diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index 6c68f0eee5..90bffc1644 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -3,10 +3,11 @@ title: Set up Windows devices for education description: Decide which option for setting up Windows 10 is right for you. keywords: school, Windows device setup, education device setup ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 07/27/2017 diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md deleted file mode 100644 index d9f8e21851..0000000000 --- a/education/windows/switch-to-pro-education.md +++ /dev/null @@ -1,382 +0,0 @@ ---- -title: Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S -description: Learn how IT Pros can opt into switching to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S. -keywords: switch, free switch, Windows 10 Pro to Windows 10 Pro Education, Windows 10 S to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro, Windows 10 S -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: edu -ms.localizationpriority: high -author: CelesteDG -ms.author: celested -ms.date: 10/30/2017 ---- - -# Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S -Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. - -If you have an education tenant and use devices with Windows 10 Pro or Windows 10 S, global administrators can opt-in to a free switch to Windows 10 Pro Education depending on your scenario. -- [Switch from Windows 10 S to Windows 10 Pro Education](#switch-from-windows-10-s-to-windows-10-pro-education) -- [Switch from Windows 10 Pro to Windows 10 Pro Education](#switch-from-windows-10-pro-to-windows-10-pro-education) - -To take advantage of this offering, make sure you meet the [requirements for switching](#requirements-for-switching). For academic customers who are eligible to switch to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance. - -## Requirements for switching -Before you switch to Windows 10 Pro Education, make sure you meet these requirements: -- Devices must be running Windows 10 Pro, version 1607 or higher; or running Windows 10 S, version 1703 -- Devices must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices). - - If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses). - -- The Azure AD tenant must be recognized as an education approved tenant. -- You must have a Microsoft Store for Education account. -- The user making the changes must be a member of the Azure AD global administrator group. - -## Compare Windows 10 Pro and Pro Education editions -You can [compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10. - -For more info about Windows 10 default settings and recommendations for education customers, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). - - -## Switch from Windows 10 S to Windows 10 Pro Education -There are two ways to switch from Windows 10 S to Windows 10 Pro Education, outlined below. Regardless of how you switch to Windows 10 Pro Education, note that you can only switch devices back to Windows 10 S through reimaging. - -1. **Bulk switch through Microsoft Store for Education** - - In this scenario, the global admin for the Azure AD education tenant can use Microsoft Store to switch all Windows 10 S devices on the tenant to Windows 10 Pro Education. - - See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this. - -2. **Asynchronous switch** - - In this scenario, the global admin must acquire the necessary keys and then select a method for key distribution. - - **Key acquisition options:** - - **Volume Licensing customers** - For schools with active Microsoft Volume Licensing agreements, global admins can obtain free MAK keys for Windows 10 Pro Education. - - > [!NOTE] - > Windows 10 S is a Qualified OS (QOS) for Academic Volume Licensing only. - - - **Non-Volume Licensing customers** - For schools without an active Microsoft Volume Licensing agreement, the global admin can contact CSS, fill out a form and provide a proof of purchase to receive MAK keys for Windows 10 Pro Education. - - **Key distribution options:** - - You can find step-by-step info on how to use each of the options described here in [Switch options from Windows 10 S to Windows 10 Pro Education](#switch-options-from-windows-10-s-to-windows-10-pro-education). - - - **Bulk key distribution** - You can apply MAK keys to switch the operating system on select devices or groups of devices using one of these methods: - - Use Microsoft Intune for Education. See [Switch using Intune for Education](#switch-using-intune-for-education) for details on how to do this. - - Use Windows Configuration Designer to create a provisioning package that will provision the switch on the device(s). See [Switch using Windows Configuration Designer](#switch-using-windows-configuration-designer) for details on how to do this. - - Use the mobile device management (MDM) policy, **UpgradeEditionWithProductKey**. See [Switch using MDM](#switch-using-mdm) for details on how to do this. - - Use scripting. See [Switch using scripting](#switch-using-scripting) for details on how to do this. - - **Manual key entry** - You can also manually apply the MAK key using one of these methods: - - Enter the MAK key in the Windows **Settings > Activation** page. See [Switch using the Activation page](#switch-using-the-activation-page) for details on how to do this. - - Install with a media and key through Windows setup. We don't recommend this option due to the potential for multi-reboot requirements. - - -## Switch from Windows 10 Pro to Windows 10 Pro Education - -For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free switch through the Microsoft Store for Education. - -In this scenario: - -- The IT admin of the tenant chooses to turn on the switch for all Azure AD joined devices. -- Any device that joins the Azure AD will switch automatically to Windows 10 Pro Education. -- The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). - -See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this. - -## Switch options from Windows 10 S to Windows 10 Pro Education -If you want to switch only a few or a select group of Windows 10 S devices to Windows 10 Pro Education, you can use one of the following key distribution options once you've obtained the MAK keys for Windows 10 Pro Education. See [Switch from Windows 10 S to Windows 10 Pro Education](#switch-from-windows-10-s-to-windows-10-pro-education) for more info. - -### Switch using Intune for Education - -1. In Intune for Education, select **Groups** and then choose the group that you want to apply the MAK license key to. - - For example, to apply the switch for all teachers, select **All Teachers** and then select **Settings**. - -2. In the settings page, find **Edition upgrade** and then: - 1. Select the edition in the **Edition to upgrade to** field - 2. Enter the MAK license key in the **Product key** field - - **Figure 1** - Enter the details for the Windows edition switch - - ![Enter the details for the Windows edition switch](images/i4e_editionupgrade.png) - -3. The switch will automatically be applied to the group you selected. - - -### Switch using Windows Configuration Designer -You can use Windows Configuration Designer to create a provisioning package that you can use to switch the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package. - -1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions. -2. In the **Set up device** page, enter the MAK license key in the **Enter product key** field to switch to Windows 10 Pro Education. - - **Figure 2** - Enter the license key - - ![Enter the license key to switch to Windows 10 Pro Education](images/wcd_productkey.png) - -3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to switch to Windows 10 Pro Education. - - For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain). - -### Switch using MDM - -To switch Windows 10 S to Windows 10 Pro Education, enter the product key for the Windows 10 Pro Education edition in the **UpgradeEditionWithProductKey** policy setting of the [WindowsLicensing CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/windowslicensing-csp). - -### Switch using scripting - -You can switch from Windows 10 S to Windows 10 Pro Education by running the changepk.exe command-line tool. To do this, run the following command: - -``` -changepk.exe /ProductKey MAK_key_or_product_key -``` - -Replace *MAK_key_or_product_key* with the MAK key that you obtained for the Windows 10 edition switch. - - -### Switch using the Activation page - -1. On the Windows device that you want to switch, open the **Settings** app. -2. Select **Update & security** > **Activation**, and then click **Change product key**. -3. In the **Enter a product key** window, enter the MAK key for Windows 10 Pro Education and click **Next**. - - -## Education customers with Azure AD joined devices - -Academic institutions can easily move from Windows 10 S or Windows 10 Pro to Windows 10 Pro Education without using activation keys or reboots. When one of your users enters their Azure AD credentials associated with a Windows 10 Pro Education license, the operating system switches to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have an Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features. - -When you switch to Windows 10 Pro Education, you get the following benefits: - -- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. -- **Roll back options to Windows 10 Pro** - - When a user leaves the domain or you turn off the setting to automatically switch to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). - - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. - - See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro) for more info. - - For devices that originally had Windows 10 S installed, Windows 10 Pro Education cannot step back down to Windows 10 S. You will need to reimage these devices with Windows 10 S if you need to step down from Windows 10 Pro Education to Windows 10 S. - - -### Switch using Microsoft Store for Education -Once you enable the setting to switch to Windows 10 Pro Education, the switch will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the switch. The switch will only apply to Windows 10 S and Windows 10 Pro devices. - -**To turn on the automatic switch to Windows 10 Pro Education** - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account. - - If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use. - -2. Click **Manage** from the top menu and then select the **Benefits tile**. -3. In the **Benefits** tile, look for the **Switch to Windows 10 Pro Education for free** link and then click it. - - You will see the following page informing you that your school is eligible to switch free to Windows 10 Pro Education from Windows 10 S or Windows 10 Pro. - - **Figure 3** - Switch Windows 10 Pro to Windows 10 Pro Education - - ![Eligible for free Windows 10 Pro to Windows 10 Pro Education switch](images/msfe_manage_benefits_switchtoproedu.png) - -4. In the **Switch all your devices to Windows 10 Pro Education for free** page, check box next to **I understand enabling this setting will switch all domain-joined devices running Windows 10 Pro or Windows 10 S in my organization**. - - **Figure 4** - Check the box to confirm - - ![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png) - -5. Click **Switch all my devices**. - - A confirmation window pops up to let you know that an email has been sent to you to enable the switch. - -6. Close the confirmation window and check the email to proceed to the next step. -7. In the email, click the link to **Switch to Windows 10 Pro Education**. Once you click the link, this will take you back to the Microsoft Store for Education portal. - - **Figure 5** - Click the link in the email to switch to Windows 10 Pro Education - - ![Click the email link to switch to Windows 10 Pro Education](images/msfe_clickemaillink_switchtoproedu.png) - -8. Click **Switch now** in the **Switching your device to Windows 10 Pro Education for free** page in the Microsoft Store. - - You will see a window that confirms you've successfully switched all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro or Windows 10 S will automatically switch the next time someone in your organization signs in to the device. - -9. Click **Close** in the **Success** window. - -Enabling the automatic switch also triggers an email message notifying all global administrators in your organization about the switch. It also contains a link that enables any global administrators to cancel the switch if they choose. For more info about rolling back or canceling the switch, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).\ - -**Figure 6** - Email notifying all global admins about the switch - -![Email notifying all global admins about the switch](images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png) - - -## Explore the switch experience - -So what will users experience? How will they switch their devices? - -### For existing Azure AD joined devices -Existing Azure AD domain joined devices will be switched to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. - -### For new devices that are not Azure AD joined -Now that you've turned on the setting to automatically switch to Windows 10 Pro Education, the users are ready to switch their devices running Windows 10 Pro, version 1607 or higher or Windows 10 S, version 1703 to Windows 10 Pro Education edition. - -#### Step 1: Join users’ devices to Azure AD - -Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703. - -**To join a device to Azure AD the first time the device is started** - -There are different methods you can use to join a device to Azure AD: -- For multiple devices, we recommend using the [Set up School PCs app](use-set-up-school-pcs-app.md) to create a provisioning package to quickly provision and set up Windows 10 devices for education. -- For individual devices, you can use the Set up School PCs app or go through the Windows 10 device setup experience. If you choose this option, see the following steps. - -**To join a device to Azure AD using Windows device setup** - -If the Windows device is running Windows 10, version 1703, follow these steps. - -1. During initial device setup, on the **How would you like to set up?** page, select **Set up for an organization**, and then click **Next**. - - **Figure 7** - Select how you'd like to set up the device - - ![Select how you'd like to set up the device](images/1_howtosetup.png) - -2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**. - - **Figure 8** - Enter the account details - - ![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png) - -3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription. - - -**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 or Windows 10 S, version 1703 installed and set up** - -If the Windows device is running Windows 10, version 1703, follow these steps. - -1. Go to **Settings > Accounts > Access work or school**. - - **Figure 9** - Go to **Access work or school** in Settings - - ![Go to Access work or school in Settings](images/settings_workorschool_1.png) - -2. In **Access work or school**, click **Connect**. -3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom. - - **Figure 10** - Select the option to join the device to Azure Active Directory - - ![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png) - -4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD. -5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD. - - **Figure 11** - Verify the device connected to Azure AD - - ![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png) - - -#### Step 2: Sign in using Azure AD account - -Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device. - - -#### Step 3: Verify that Pro Education edition is enabled - -You can verify the Windows 10 Pro Education in **Settings > Update & Security > Activation**. - -**Figure 12** - Windows 10 Pro Education in Settings - -Windows 10 activated and subscription active - -If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - -### Troubleshoot the user experience - -In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows: - -- The existing operating system (Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703) is not activated. -- The Windows 10 Pro Education switch has lapsed or has been removed. - -Use the following figures to help you troubleshoot when users experience these common problems: - -**Figure 13** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education switch is active. - -Windows 10 activated and subscription active

    - - -**Figure 14** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education switch is active. - -Windows 10 not activated and subscription active

    - - -### Review requirements on devices - -Devices must be running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703 and be Azure AD joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. You can use the following procedures to review whether a particular device meets requirements. - -**To determine if a device is Azure AD joined** - -1. Open a command prompt and type the following: - - ``` - dsregcmd /status - ``` - -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. - -**To determine the version of Windows 10** - -- At a command prompt, type: - - ``` - winver - ``` - - A popup window will display the Windows 10 version number and detailed OS build information. - - > [!NOTE] - > If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license. - -### Roll back Windows 10 Pro Education to Windows 10 Pro - -If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by: - -- Logging into Microsoft Store for Education page and turning off the automatic switch. -- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators. - -Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a switch was enabled and then turned off will never see their device change from Windows 10 Pro. - -> [!NOTE] -> Devices that were switched from Windows 10 S to Windows 10 Pro Education cannot roll back to Windows 10 S. - -**To roll back Windows 10 Pro Education to Windows 10 Pro** - -1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic switch. -2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. -3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. - - **Figure 15** - Revert to Windows 10 Pro - - ![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png) - -4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**. -5. Click **Close** in the **Success** page. - - All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic switches again, you can do this by selecting **Switch to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education. - - -## Preparing for deployment of Windows 10 Pro Education licenses - -If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. - -You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. - -Figure 11 illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. - -**Figure 16** - On-premises AD DS integrated with Azure AD - -![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) - -For more information about integrating on-premises AD DS domains with Azure AD, see these resources: -- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) -- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) - -## Related topics - -[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) -[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) -[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 937dfe5d9d..5c96e3b1b2 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -3,10 +3,11 @@ title: Take a Test app technical reference description: The policies and settings applied by the Take a Test app. keywords: take a test, test taking, school, policies ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 11/28/2017 diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index f83c1e7773..b71c991d7c 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -3,10 +3,11 @@ title: Set up Take a Test on multiple PCs description: Learn how to set up and use the Take a Test app on multiple PCs. keywords: take a test, test taking, school, set up on multiple PCs ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 11/08/2017 diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 630e913e2d..666b4d00a1 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -3,10 +3,11 @@ title: Set up Take a Test on a single PC description: Learn how to set up and use the Take a Test app on a single PC. keywords: take a test, test taking, school, set up on single PC ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 11/08/2017 diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index f41a994602..0c0c8ccd9a 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -3,10 +3,11 @@ title: Take tests in Windows 10 description: Learn how to set up and use the Take a Test app. keywords: take a test, test taking, school, how to, use Take a Test ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 10/16/2017 diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 14bbe54561..87afbb458f 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -3,14 +3,17 @@ title: For teachers get Minecraft Education Edition description: Learn how teachers can get and distribute Minecraft. keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute ms.prod: W10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: trudyha searchScope: - Store ms.author: trudyha ms.date: 1/5/2018 +ms.topic: conceptual +--- # For teachers - get Minecraft: Education Edition @@ -18,35 +21,44 @@ ms.date: 1/5/2018 - Windows 10 -Learn how teachers can get and distribute Minecraft: Education Edition. +The following article describes how teachers can get and distribute Minecraft: Education Edition. +Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers. -## Add Minecraft to your Microsoft Store for Education +To get started, go to http://education.minecraft.net/ and select **GET STARTED**. -1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**. +## Try Minecraft: Education Edition for Free - +Minecraft: Education Edition is available for anyone to try for free! The free trial is fully-functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. -2. Enter your email address. +To learn more and get started, go to http://education.minecraft.net/ and select **GET STARTED**. - - -3. Select **Get the app**. This will take you to Microsoft Store for Ecucation to download the app. You will also receive an email with instructions and a link to the Store. +## Purchase Minecraft: Education Edition for Teachers and Students - +Minecraft: Education Edition is licensed via yearly subscriptions that are purchased through the Microsoft Store for Education, via volume licensing agreements and through partner resellers. -4. Sign in to Microsoft Store for Education with your email address. +>[!Note] +>M:EE is available on many platforms, but all license purchases can only be done through one of the three methods listed above. -5. Read and accept the Microsoft Store for Business and Education Service Agreement, and then select **Next**. +As a teacher, you may purchase subscription licenses for you and your students directly through the Microsoft Store for Education, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 account. -6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Microsoft Store inventory. +>[!Note] +>If you already have Office 365, you may already have Minecraft: Education Edition licenses for your school! M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. + +You can purchase individual Minecraft: Education Edition subscriptions for you and other teachers and students directly in the Microsoft Store for Education. + +To purchase individual Minecraft: Education Edition subscriptions (i.e. direct purchase): + +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your Office 365 account. +2. Click on [Minecraft: Education Edition](https://educationstore.microsoft.com/en-us/store/details/minecraft-education-edition/9nblggh4r2r6) (or use Search the Store to find it) +3. Click **Buy** + +>[!Note] +>Administrators can restrict the ability for teachers to purchase applications in the Microsoft Store for Education. If you do not have the ability to Buy, contact your school administration or IT administrator. - - -If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#purchase-additional-licenses). ## Distribute Minecraft -After Minecraft: Education Edition is added to your Microsoft Store for Education inventory, you have three options: +After Minecraft: Education Edition licenses have been purchased, either directly, through a volume license agreement or through a partner reseller, those licenses will be added to your Microsoft Store for Education. From there you have three options: - You can install the app on your PC. - You can assign the app to others. diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index 6f39869fb3..5462d07464 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -1,52 +1,53 @@ --- -title: Test Windows 10 S on existing Windows 10 education devices -description: Provides guidance on downloading and testing Windows 10 S for existing Windows 10 education devices. -keywords: Windows 10 S, try, download, school, education, Windows 10 S installer, existing Windows 10 education devices +title: Test Windows 10 in S mode on existing Windows 10 education devices +description: Provides guidance on downloading and testing Windows 10 in S mode for existing Windows 10 education devices. +keywords: Windows 10 in S mode, try, download, school, education, Windows 10 in S mode installer, existing Windows 10 education devices ms.mktglfcycl: deploy ms.prod: w10 +ms.technology: Windows ms.pagetype: edu ms.sitesec: library -ms.localizationpriority: high -author: CelesteDG -ms.author: celested -ms.date: 11/03/2017 +ms.localizationpriority: medium +author: MikeBlodge +ms.author: MikeBlodge +ms.date: 04/30/2018 --- -# Test Windows 10 S on existing Windows 10 education devices +# Test Windows 10 in S mode on existing Windows 10 education devices **Applies to:** -- Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise +- Devices running Windows 10, version 1709: Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise -The Windows 10 S self-installer will allow you to test Windows 10 S on a variety of individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Please test Windows 10 S on a variety of devices in your school and share your feedback with us. +The Windows 10 in S mode self-installer will allow you to test Windows 10 in S mode on a variety of individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Please test Windows 10 in S mode on a variety of devices in your school and share your feedback with us. -Windows 10 S is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2). +Windows 10 in S mode is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2). -Windows 10 S is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 S works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 S, your existing applications and settings will be deleted and you will only be able to install apps from the Microsoft Store. +Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted and you will only be able to install apps from the Microsoft Store. -**Configuring Windows 10 S for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). +**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). -**Installing Office 365 for Windows 10 S (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store. +**Installing Office 365 for Windows 10 in S mode (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store. -As we finalize development of Office 365 for Windows 10 S (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 S](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f). +As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 in S mode](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f). -## Before you install Windows 10 S +## Before you install Windows 10 in S mode ### Important information -Before you install Windows 10 S, be aware that non-Microsoft Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 S: +Before you install Windows 10 in S mode, be aware that non-Microsoft Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode: * Is intended for education customers to test compatibility with existing hardware -* May not work with some device drivers, which may not yet be ready for Windows 10 S and may cause some loss in functionality +* May not work with some device drivers, which may not yet be ready for Windows 10 in S mode and may cause some loss in functionality * May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function -* Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 S is limited to Store apps only +* Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 in S mode is limited to Store apps only > [!WARNING] - > You can install Windows 10 S on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 S on Windows 10 Home devices as you won't be able to activate it. + > You can install Windows 10 in S mode on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 in S mode on Windows 10 Home devices as you won't be able to activate it. * Will not run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media. -Before you install Windows 10 S on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device: +Before you install Windows 10 in S mode on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device: * Make sure that you updated your existing device to Windows 10, version 1703 (Creators Update). See [Download Windows 10](https://www.microsoft.com/en-us/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**. @@ -55,27 +56,27 @@ Before you install Windows 10 S on your existing Windows 10 Pro, Windows 10 Pro To do this, go to **Settings > Update & security > Windows Update**. -* Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 S. +* Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 in S mode. See [Create a recovery drive](#create-a-recovery-drive) for information on how to do this. ## Supported devices -The Windows 10 S install will install and activate on the following editions of Windows 10 in use by schools: +The Windows 10 in S mode install will install and activate on the following editions of Windows 10 in use by schools: * Windows 10 Pro * Windows 10 Pro Education * Windows 10 Education * Windows 10 Enterprise -Other Windows 10 editions cannot be activated and are not supported. If your device is not running one of these supported Windows 10 editions, do not proceed with using the Windows 10 S installer. Windows 10 N editions and running in virtual machines are not supported by the Windows 10 S installer. +Other Windows 10 editions cannot be activated and are not supported. If your device is not running one of these supported Windows 10 editions, do not proceed with using the Windows 10 in S mode installer. Windows 10 N editions and running in virtual machines are not supported by the Windows 10 in S mode installer. ### Preparing your device to install drivers -Make sure all drivers are installed and working properly on your device running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise before installing Windows 10 S. +Make sure all drivers are installed and working properly on your device running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise before installing Windows 10 in S mode. ### Supported devices and drivers -Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer. +Check with your device manufacturer before trying Windows 10 in S mode on your device to see if the drivers are available and supported by the device manufacturer. | | | | | - | - | - | @@ -88,51 +89,48 @@ Check with your device manufacturer before trying Windows 10 S on your device to | HP | Huawei | I Life | | iNET | Intel | LANIT Trading | | Lenovo | LG | MCJ | -| Micro P/Exertis | Microsoft | MSI | +| Micro P/Exertis | Microsoft | MSI | | Panasonic | PC Arts | Positivo SA | | Positivo da Bahia | Samsung | Teclast | | Thirdwave | Tongfang | Toshiba | | Trekstor | Trigem | Vaio | | Wortmann | Yifang | | - > [!NOTE] > If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future. - ## Kept files -Back up all your data before installing Windows 10 S. Only personal files may be kept during installation. Your settings and apps will be deleted. +Back up all your data before installing Windows 10 in S mode. Only personal files may be kept during installation. Your settings and apps will be deleted. > [!NOTE] > All existing Win32 applications and data will be deleted. Save any data or installation files in case you may need to access that data again or need to reinstall these applications later. ## Domain join -Windows 10 S does not support non-Azure Active Directory domain accounts. Before installing Windows 10 S, you must have at least one of these administrator accounts: +Windows 10 in S mode does not support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts: - Local administrator - Microsoft Account (MSA) administrator - Azure Active Directory administrator > [!WARNING] -> If you don't have one of these administrator accounts accessible before migration, you will not be able to log in to your device after migrating to Windows 10 S. +> If you don't have one of these administrator accounts accessible before migration, you will not be able to log in to your device after migrating to Windows 10 in S mode. -We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 S in case you run into this issue. +We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 in S mode in case you run into this issue. ## Installing Office applications -After installing Windows 10 S, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 S (Education preview). You must have an Office license to activate the applications once they are installed. - +After installing Windows 10 in S mode, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 in S mode (Education preview). You must have an Office license to activate the applications once they are installed. ## Switch to previously installed Windows 10 editions -If Windows 10 S is not right for you, you can switch to the Windows 10 edition previously installed on your device(s). -* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). -* If you try Windows 10 S and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10). +If Windows 10 in S mode is not right for you, you can switch to the Windows 10 edition previously installed on your device(s). +* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](change-to-pro-education.md). +* If you try Windows 10 in S mode and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10). ## Device recovery -Before installing Windows 10 S, we recommend that you create a system backup in case you would like to return to Windows 10 Pro or Windows 10 Pro Education after trying Windows 10 S. +Before installing Windows 10 in S mode, we recommend that you create a system backup in case you would like to return to Windows 10 Pro or Windows 10 Pro Education after trying Windows 10 in S mode. ### Create a recovery drive To create a recovery drive, follow these steps. @@ -147,7 +145,7 @@ To create a recovery drive, follow these steps. ### Go back to your previous edition of Windows 10 -Alternatively, for a period of 10 days after you install Windows 10 S, you have the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This will keep your personal files, but it will remove installed apps as well as any changes you made to **Settings**. +Alternatively, for a period of 10 days after you install Windows 10 in S mode, you have the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This will keep your personal files, but it will remove installed apps as well as any changes you made to **Settings**. To go back, you need to: * Keep everything in the windows.old and $windows.~bt folders after the upgrade. @@ -203,48 +201,49 @@ To use an installation media to reinstall Windows 10, follow these steps. 13. When you're done formatting, select **Next**. 14. Follow the rest of the setup instructions to finish installing Windows 10. -## Download Windows 10 S -Ready to test Windows 10 S on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information. +## Download Windows 10 in S mode +Ready to test Windows 10 in S mode on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information. -When you're ready, you can download the Windows 10 S installer by clicking the **Download installer** button below: +When you're ready, you can download the Windows 10 in S mode installer by clicking the **Download installer** button below: > [!div class="nextstepaction" style="center"] > [Download installer](https://go.microsoft.com/fwlink/?linkid=853240) -After you install Windows 10 S, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default. +After you install Windows 10 in S mode, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default. ## Terms and Conditions -Because you’re installing Windows 10 S on a running version of Windows 10, you have already accepted the Windows 10 Terms and Conditions. You are not required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation. +Because you’re installing Windows 10 in S mode on a running version of Windows 10, you have already accepted the Windows 10 Terms and Conditions. You are not required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation. ## Support -Thank you for testing Windows 10 S. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 S on existing devices with an eligible operating system. If you are having difficulty installing or running Windows 10 S, use the Windows **Feedback Hub** to report your experience to Microsoft. This is the best way to help improve Windows 10 S with your feedback. +Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you are having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This is the best way to help improve Windows 10 in S mode with your feedback. -Common support questions for the Windows 10 S test program: +Common support questions for the Windows 10 in S mode test program: -* **How do I activate if I don't have a Windows 10 S product key?** +* **How do I activate if I don't have a Windows 10 in S mode product key?** - As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 S and it will automatically activate. Testing Windows 10 S on a device running Windows 10 Home is not recommended and supported at this time. + As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home is not recommended and supported at this time. -* **Will my OEM help me run Windows 10 S?** +* **Will my OEM help me run Windows 10 in S mode?** - OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 S. When testing Windows 10 S, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above. + OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 in S mode. When testing Windows 10 in S mode, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above. -* **What happens when I run Reset or Fresh Start on Windows 10 S?** +* **What happens when I run Reset or Fresh Start on Windows 10 in S mode?** - **Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 S. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 S. + **Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 in S mode. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 in S mode. -* **What if I want to move from Windows 10 S to Windows 10 Pro?** +* **What if I want to move from Windows 10 in S mode to Windows 10 Pro?** - If you want to discontinue using Windows 10 S, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store. + If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store. For help with activation issues, click on the appropriate link below for support options. * For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you are seeking commercial support to contact our commercial support team. * If you do not have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/en-us/contactus/) website and choose a support option. -

    1 Internet access fees may apply.
    2 Devices must be configured for educational use by applying **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** using the Set up School PCs app.

    + + diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 7cd7884f9b..c4b90aee80 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -1,314 +1,254 @@ --- title: Use Set up School PCs app -description: Learn how the Set up School PCs app works and how to use it. +description: Learn how to use the Set up School PCs app and apply the provisioning package. keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high -author: CelesteDG -ms.author: celested -ms.date: 12/11/2017 +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 08/03/2018 --- -# Use the Set up School PCs app -**Applies to:** +# Use the Set up School PCs app -- Windows 10 +IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM. -IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. +Set up School PCs also: +* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant. +* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state. +* Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours. +* Locks down the student PC to prevent activity that isn't beneficial to their education. -## What does this app do? +This article describes how to get started and provide information about your school in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). -Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically: -- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant -- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM. -- Removes OEM preinstalled software from each student PC -- Auto-configures and saves a wireless network profile on each student PC -- Gives a friendly and unique name to each student device for future management -- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup -- Enables optional guest account for younger students, lost passwords, or visitors -- Enables optional secure testing account -- Enables optional Windows Automatic Redeployment feature to return devices to a fully configured or known IT-approved state -- Locks down the student PC to prevent mischievous activity: - * Prevents students from removing the PC from the school's device management system - * Prevents students from removing the Set up School PCs settings -- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours -- Customizes the Start layout with Office -- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more -- Uninstalls apps not specific to education, such as Solitaire -- Prevents students from adding personal Microsoft accounts to the PC +## Requirements +Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements. -You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide.
    +* Office 365 and Azure Active Directory +* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40) +* Permission to buy apps in Microsoft Store for Education +* Set up School PCs app has permission to access the Microsoft Store for Education +* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office +* Student PCs must either: + * Be within range of the Wi-Fi network that you configured in the app. + * Have a wired Ethernet connection when you set them up. -> [!VIDEO https://www.youtube.com/embed/2ZLup_-PhkA] +### Configure USB drive for additional space +USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS. +1. Insert the USB drive into your computer. +2. Go to the **Start** > **This PC**. +3. In the **Devices and drives** section, find your USB drive. Right-click to see its options. +4. Select **Format** from the list to bring up the **Format drive name** window. +5. Set **File system** to **NTFS**. +6. Click **Start** to format the drive. -You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI) +### Prepare existing PC account for new setup +Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data. -## Tips for success +If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state. -* **Run the same Windows 10 build on the admin device and the student PCs** +To begin, go to the **Settings** app on the appropriate PC. +1. Click **Update & Security** > **Recovery**. +2. In the **Reset this PC** section, click **Get started**. +3. Click **Remove everything**. - It's critical that the IT administrator's or technical teacher's device is running the same Windows 10 build as the student PCs that you're provisioning. +You can also go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps: +1. Click **Troubleshoot** and then choose **Reset this PC**. +2. Select **Remove everything**. +3. If the option appears, select **Only the drive where Windows is installed**. +4. Click **Just remove my files**. +5. Click **Reset**. -* **Ensure that the student PCs meet the minimum OS requirements for the version of Set up School PCs** +## Recommendations +This section offers recommendations to prepare you for the best possible setup experience. +### Run the same Windows 10 build on the admin device and the student PCs +We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs. - Check the minimum OS requirements for the Set up School PCs app in the **System Requirements > OS** section of the app's description on the Microsoft Store. For example, the latest version of Set up School PCs requires Windows 10 versions with build 15063.0 or higher. Do not use the app to provision student PCs with Windows 10, version 1607 (build 14393) images. - - We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs that you're provisioning. +### Student PCs should meet OS requirements for the app +Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs. -* **Run the app at work** +To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**. - For the best results, run the Set up School PCs app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions. +### Use app on a PC that is connected to your school's network +We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually. - > [!NOTE] - > Don't use the **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open Wi-Fi networks that require the user to accept Terms of Use. + > [!NOTE] + > Don't use the **Set up Schools PCs** app for PCs that must connect to: + >* Enterprise networks that require the user to accept Terms of Use. + >* Open Wi-Fi networks that require the user to accept Terms of Use. -* **Network tips** - * You cannot use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. You can only connect to an open network, or one with a basic password. - * If you need to set up a lot of devices over Wi-Fi, make sure that your network configuration can support it. - - We recommend configuring your DHCP so at least 200 IP addresses are available for the devices you are setting up. Configure your IP addresses to expire after a short time (about 30 minutes). This ensures that you can set up many devices simultaneously, and IP addresses will free up quickly so you can continue to set up devices without hitting network issues. +### Run app on an open network or network that requires a basic password +Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it. -* **Apply to new student PCs** - * The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost. - - > [!WARNING] - > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings. +We recommend that you: +* Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously. +* Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues. - * The student PCs must be in range of the Wi-Fi network that you configured in Set up School PCs or have a wired Ethernet connection when you set them up. Otherwise, setup will fail. - * If the PC has already been set up and you want to return to the first-run experience to apply a new package, you can reset the PC to get to a clean state and get it back to the first-run experience and ready to provision again. +>> [!WARNING] +> Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings. - To do this: - - Go to **Settings > Update & security > Recovery**. In the **Reset this PC** section of the **Recovery** page, click **Get started**. - - Or, hit **Shift** + click **Restart** in the **Power** menu to load the Windows boot user experience. From there, follow these steps: - 1. Click **Troubleshoot** and then choose **Reset this PC**. - 2. Select **Remove everything**. - 3. Select **No - remove provisioning packages**. - 4. Select **Only the drive where Windows is installed** (this may not always show up). - 5. Click **Just remove my files**. - 6. Click **Reset**. +### Use an additional USB drive +To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup. -* **Use an NTFS-formatted USB key** +### Limit changes to school-optimized settings - If you're planning to install several apps, the Set up School PCs package may exceed 4 GB. Check if your USB drive format is FAT32. If it is, you won't be able to save more than 4 GB of data on the drive. To work around this, reformat the USB drive to use the NTFS format. To do this: +We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and the time it takes to sign in. - 1. Insert the USB key into your computer. - 2. Go to the Start menu and type **This PC** and then select the **This PC (Desktop app)** from the search results. - 3. In the **Devices and drivers** section, find the USB drive, select and then right-click to bring up options. - 4. Select **Format** from the list to bring up the **Format ** window. - 5. Set **File system** to **NTFS** and then click **Start** to format the drive. +## Create the provisioning package -* **Use more than one USB key** +The **Set up School PCs** app guides you through the configuration choices for the student PCs. - If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on. - -* **Keep it clean** - - We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md). - -* **Get more info** - - Learn more about what Set up School PCs does, including provisioning details, in [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). - -## Prerequisites - -- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40). - - The app supports these languages: Chinese (Simplified), Chinese (Traditional), Danish, Dutch, English (United Kingdom), English (United States), French, German, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Russian, Spanish (Spain), Spanish (Mexico), Swedish, and Turkish. - -- Install the app on your work PC and make sure you're connected to your school's network. -- You must have Office 365 and Azure Active Directory. -- You must have the Microsoft Store for Education configured. -- You must be a global admin in the Microsoft Store for Education. -- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app. -- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office. -- Check the default file system format for your USB drive. You may need to set this to NTFS to save a provisioning package that's 4 GB or larger. - -## Set up School PCs step-by-step - -### Create the provisioning package - -The **Set up School PCs** app guides you through the configuration choices for the student PCs. - -1. Launch the Set up School PCs app. - - **Figure 1** - Launch the Set up School PCs app - - ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) - -2. Click **Get started**. -3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page: - - To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. - - To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. - - If you opt to sign in, follow these steps: - - 1. Choose the account from the list. If you don't see the account, select **Work or school account**, click **Continue**, and enter the account details. - 2. Click **Next** once you've specified the account. - 3. If you added an account, you may be asked to provide the user account and password. You will get a notification to allow the app to access your account. This will give Set up School PCs permission to access Store for Business, read memberships, sign you in and read your profile, and more. - 4. Click **Accept**. - - The account will show up as the account that Set up School PCs will use to connect the school PCs to the cloud. - - **Figure 2** - Verify that the account you selected shows up - - ![Verify that the account you selected shows up](images/suspc_createpackage_signin.png) - - 5. Click **Next**. - -4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page: - 1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network. - 2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network. - - If you click **Skip**, you will see the following dialog. - * If you select **Got it**, you will go to the next page without Wi-Fi set up. - * If you select **Add Wi-Fi**, you will go back to the Wi-Fi page to add a wireless network. - - **Figure 3** - Only skip Wi-Fi if you have a wired Ethernet connection - - ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png) - -5. To assign a name to the student PCs, in the **Name these devices** page: - 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. - - > [!NOTE] - > The name must be five (5) characters or less. Set up School PCs automatically appends `_%SERIAL%` to the prefix that you specify. `_%SERIAL%` ensures that all device names are unique. - - For example, if you add *Math4* as the prefix, the device names will be *Math4* followed by a random string of letters and numbers. - - 2. Click **Next**. - -6. To specify other settings for the student PC, in the **Configure student PC settings** page: - - Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image. - - > [!NOTE] - > If you select this option, the provisioning process will take longer (about 30 minutes). - - - Select **Allow local storage (not recommended for shared devices)** to let students save files to the **Desktop** and **Documents** folder on the student PC. We don't recommend this option if the device will be part of a shared cart or lab. - - Select **Optimize device for a single student, instead of a shared cart or lab** to optimize the device for use by a single student (1:1). - - Check this option if the device will not be part of a shared cart or lab. - - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in). - - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data, or if the student doesn't use the PC over a prolonged period. - - - Select **Let guests sign-in to these PCs** to allow guests to use student PCs without a school account. For example, if the device will be in a library and you want other users (like visiting students or teachers) to be able to use the device, you can select this option. - - If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC. - - - Select **Enable Windows Automatic Redeployment** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they’re ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Windows Automatic Redeployment through the Set up School PCs app. - - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background. - - **Figure 4** - Configure student PC settings - - ![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings_121117.png) - - When you're doing configuring the student PC settings, click **Next**. - -7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page. Windows will also lock down the student PC so that students can't access anything else while taking the test. - 1. Specify if you want to create a Take a Test button on the sign-in screens of students' PCs. - 2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. - 3. Enter the assessment URL. - - You can leave the URL blank so that students can enter one later. This enables teachers to use the Take a Test account for daily quizzes or tests by having students manually enter a URL. - - **Figure 5** - Configure the Take a Test app - - ![Configure the Take a Test app](images/suspc_createpackage_takeatestpage_073117.png) - - 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test. - -8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following: - * **Office 365 for Windows 10 S (Education Preview)** - * Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail. - * When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S. - * **Minecraft: Education Edition** - Free trial - * Popular **STEM and Makerspace apps** - - 1. Select the apps that you would like to provision and then click **Next** when you're done. Apps that you provision on student PCs will be pinned to the Start menu. - 2. Click **Skip** if you don't want to provision any apps. - - **Figure 6** - Select from a set of recommended apps - - ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_073117.png) +### Sign in +1. Open the Set up School PCs app on your PC and click **Get started**. - The set of recommended Microsoft Store for Education apps may vary from what we show here. + ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) +2. Select how you want to sign in. + a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3. + b. To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](use-set-up-school-pcs-app.md#Wireless-network). +3. In the new window, select the account you want to use throughout setup. -9. In the **Review package summary** page, make sure that all the settings you configured appear correctly. - 1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes. + ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspc-sign-in-select-1807.png) - **Figure 7** - Review your settings and change them as needed + To add an account not listed: +a. Click **Work or school account** > **Continue**. + b. Type in the account username and click **Next**. + c. You may be asked to verify the user account and password. - ![Review your settings and change them as needed](images/suspc_createpackage_summary_073117.png) +1. Click **Accept** to allow Set up School PCs to access your account throughout setup. +2. When your account name appears on the page, as shown in the image below, click **Next.** - 2. Click **Accept**. + ![Verify that the account you selected shows up](images/suspc-createpackage-signin-1807.png) -10. In the **Insert a USB drive now** page: - 1. Insert a USB drive to save your settings and create a provisioning package on the USB drive. - 2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list. - 3. Click **Save** to save the provisioning package to the USB drive. +### Wireless network +Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection. - **Figure 8** - Select the USB drive and save the provisioning package +Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.** - ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png) + ![Wireless network page with two Wi-Fi networks listed and one selected.](images/suspc-select-wifi-network-1807.png) -11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive. +### Device names +Create a short name to add as a prefix to each of the PCs you set up. The name will help you recognize and manage this group of devices in your mobile device manager. The name must be five (5) characters or less. - **Figure 9** - Provisioning package is ready +To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers. - ![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png) - -12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. - - **Figure 10** - Line up the student PCs and get them ready for setup - - ![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png) - -13. Click **Next**. -14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs. - - Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package. - - **Figure 11** - Install the provisioning package on the student PCs - - ![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png) + !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspc-device-names-1807.png) -### Apply the provisioning package to the student PCs -The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A provisioning package is a method for applying settings to Windows 10 without needing to reimage the device. When Windows 10 refers to *package*, it means your provisioning package, and when it refers to *provisioning*, it means applying the provisioning package to the student PC. +### Settings +Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. -> [!NOTE] -> The student PC must contain a new or reset image and the PC must not already have been through first-run setup (OOBE). +![Screenshot of the Current OS version page with the Select OS version menu selected, showing 6 Windows 10 options. All other settings on page are unavailable to select.](images/suspc-current-os-version-1807.png) -**To set up the student PC using the Set up School PCs provisioning package** +Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10. -1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 Creators Update (version 1703), this first-run setup screen says **Let's start with region. Is this right?**. +![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspc-available-student-settings-1807.png) - If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +> [!NOTE] +> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot below, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, you will not be asked to configure the time zone. - **Figure 12** - The first screen during first-run setup in Windows 10 Creators Update (version 1703) +The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column. - ![The first screen to set up a new PC in Windows 10 Creators Update](images/win10_1703_oobe_firstscreen.png) +|Setting |1703|1709|1803|What happens if I select it? |Note| +|---------|---------|---------|---------|---------|---------| +|Remove apps pre-installed by the device manufacturer |X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.| +|Allow local storage (not recommended for shared devices) |X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be part of a shared cart or lab.| +|Optimize device for a single student, instead of a shared cart or lab |X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | +|Let guests sign in to these PCs |X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.| +|Enable Autopilot Reset |Not available|X|X| Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| +|Lock screen background|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.| -2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package. +After you've made your selections, click **Next**. - **Figure 13** - Windows automatically detects the provisioning package and installs it +![Configure student PC settings page showing 5 settings, with two settings selected. Lock screen background image is the default image. Cursor is hovering over the blue Next button.](images/suspc-current-os-version-next-1807.png) - ![Windows automatically detects the provisioning package and installs it](images/suspc_studentpcsetup_installingsetupfile.png) +### Time zone -3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC. +> [!WARNING] +> If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error. - **Figure 14** - Remove the USB drive when you see the message that the media can be removed +Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**. - ![You can remove the USB drive when you see the message that the media can be removed](images/suspc_setup_removemediamessage.png) +![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspc-time-zone-1807.png) + +### Take a Test +Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device. +1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs. + + ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspc-take-a-test-1807.png) + +2. Select from the advanced settings. Available settings inclue: + * Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard. + * Allow teachers to monitor online tests: Enables screen capture in the Take a Test app. +3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment. +4. Click **Next**. + +### Recommended apps +Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu. + + ![Add recommended apps screen with 7 icons of recommended apps and selection boxes. Skip button is enabled and Next button is disabled. ](images/suspc-add-recommended-apps-1807.png) + +The following table lists the recommended apps you'll see. + +|App |Note | +|---------|---------| +|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. | +|Minecraft: Education Edition | Free trial| +|Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming| + +If you receive an error and are unable to add the selected apps, click **Skip**. Contact your IT admin to get these apps later. + + +### Summary +1. Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over. +2. To make changes now, click any page along the left side of the window. +3. When finished, click **Accept**. + + ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspc-createpackage-summary-1807.png) + +### Insert USB +1. Insert a USB drive. The **Save** button will light up when your computer detects the USB. +2. Choose your USB drive from the list and click **Save**. + + ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspc-savepackage-insertusb-1807.png) + +3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**. + + ![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspc-savepackage-ppkgisready-1807.png) + +## Run package - Get PCs ready +Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**. -4. If you set up the package to do Azure AD Join, that's it! You're done, and the PC is now ready for students to use. + ![Your provisioning package is ready! screen with 3 steps to get student PCs ready for setup. Save button is active.](images/suspc_runpackage_getpcsready.png) - If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience. +## Run package - Install package on PC -## Related topics +The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device. + +When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school. + +> [!IMPORTANT] +> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup). + +1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?** + + If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + + ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/win10_1703_oobe_firstscreen.png) + +2. Insert the USB drive. Windows automatically recognizes and installs the package. + + ![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspc_studentpcsetup_installingsetupfile.png) +3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC. + + ![Screen with message telling user to remove the USB drive.](images/suspc_setup_removemediamessage.png) + +4. If you didn't set up the package with Azure AD Join, continue the Windows device setup experience. If you did configure the package with Azure AD Join, the computer is ready for use and no further configurations are required. + + If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources. -[Set up Windows devices for education](set-up-windows-10.md) diff --git a/education/windows/windows-automatic-redeployment.md b/education/windows/windows-automatic-redeployment.md deleted file mode 100644 index 5d64b44037..0000000000 --- a/education/windows/windows-automatic-redeployment.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: Reset devices with Windows Automatic Redeployment -description: Gives an overview of Windows Automatic Redeployment and how you can enable and use it in your schools. -keywords: Windows Automatic Redeployment, Windows 10, education -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: edu -ms.localizationpriority: high -author: CelesteDG -ms.author: celested -ms.date: 03/08/2018 ---- - -# Reset devices with Windows Automatic Redeployment -**Applies to:** - -- Windows 10, version 1709 - -IT admins or technical teachers can use Windows Automatic Redeployment to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Windows Automatic Redeployment, devices are returned to a fully configured or known IT-approved state. - -To enable Windows Automatic Redeployment in Windows 10, version 1709 (Fall Creators Update), you must: - -1. [Enable the policy for the feature](#enable-windows-automatic-redeployment) -2. [Trigger a reset for each device](#trigger-windows-automatic-redeployment) - -## Enable Windows Automatic Redeployment - -To use Windows Automatic Redeployment, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre). - -**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Windows Automatic Redeployment. It is a policy node in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Windows Automatic Redeployment isn't triggered by accident. - -You can set the policy using one of these methods: - -- MDM provider - - - Windows Automatic Redeployment in Intune for Education is coming soon. In a future update of Intune for Education, new tenants will automatically have the Windows Automatic Redeployment setting enabled by default on the **All devices** group as part of initial tenant configuration. You will also be able to manage this setting to target different groups in the admin console. - - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. - - For example, in Intune, create a new configuration policy and add an OMA-URI. - - OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials - - Data type: Integer - - Value: 0 - -- Windows Configuration Designer - - You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package. - -- Set up School PCs app - - Windows Automatic Redeployment in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Windows Automatic Redeployment through the Set up School PCs app. You can check the version several ways: - - Reach out to your device manufacturer. - - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version. - - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709. - - To use the Windows Automatic Redeployment setting in the Set up School PCs app: - * When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Automatic Redeployment** among the list of settings for the student PC as shown in the following example: - - ![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg) - -## Trigger Windows Automatic Redeployment -Windows Automatic Redeployment is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use. - -**To trigger Windows Automatic Redeployment** - -1. From the Windows device lock screen, enter the keystroke: **CTRL + ![Windows key](images/windows_glyph.png) + R**. - - ![Enter CTRL+Windows key+R on the Windows lockscreen](images/windows-automatic-redeployment-lockscreen.png) - - This will open up a custom login screen for Windows Automatic Redeployment. The screen serves two purposes: - 1. Confirm/verify that the end user has the right to trigger Windows Automatic Redeployment - 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process. - - ![Custom login screen for Windows Automatic Redeployment](images/windows-automatic-redeployment-customlogin.png) - -2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Windows Automatic Redeployment. - - Once Windows Automatic Redeployment is triggered, the reset process starts. - - After reset, the device: - - Sets the region, language, and keyboard. - - Connects to Wi-Fi. - - If you provided a provisioning package when Windows Automatic Redeployment is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device. - - Is returned to a known good managed state, connected to Azure AD and MDM. - - ![Notification that provisioning is complete](images/windows-automatic-redeployment-provisioningcomplete.png) - - Once provisioning is complete, the device is again ready for use. - - -## Troubleshoot Windows Automatic Redeployment - -Windows Automatic Redeployment will fail when the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. - -To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: - -``` -reagentc /enable -``` - -If Windows Automatic Reployment fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. - -## Related topics - -[Set up Windows devices for education](set-up-windows-10.md) - - - - - diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index d928e1835a..0c32462f68 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -3,10 +3,11 @@ title: Windows 10 editions for education customers description: Provides an overview of the two Windows 10 editions that are designed for the needs of K-12 institutions. keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers ms.prod: w10 +ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high +ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 10/13/2017 @@ -61,7 +62,7 @@ Customers who deploy Windows 10 Enterprise are able to configure the product to For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us). ## Related topics -* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) +* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) * [Windows deployment for education](http://aka.ms/edudeploy) * [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787) * [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788) diff --git a/mdop/agpm/use-a-test-environment.md b/mdop/agpm/use-a-test-environment.md index c9543a0a0c..a7ebad6170 100644 --- a/mdop/agpm/use-a-test-environment.md +++ b/mdop/agpm/use-a-test-environment.md @@ -20,7 +20,7 @@ If you use a testing organizational unit (OU) to test Group Policy objects (GPOs 1. While you have the GPO checked out for editing, in the **Group Policy Management Console**, click **Group Policy Objects** in the forest and domain in which you are managing GPOs. -2. Click the checked out copy of the GPO to be tested. The name will be preceded with **\[Checked Out\]**. (If it is not listed, click **Action**, then **Refresh**. Sort the names alphabetically, and **\[Checked Out\]** GPOs will typically appear at the top of the list.) +2. Click the checked out copy of the GPO to be tested. The name will be preceded with **\[AGPM\]**. (If it is not listed, click **Action**, then **Refresh**. Sort the names alphabetically, and **\[AGPM\]** GPOs will typically appear at the top of the list.) 3. Drag and drop the GPO to the test OU. diff --git a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md index 25df0da425..5dec2b8fb8 100644 --- a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md +++ b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md @@ -28,7 +28,7 @@ The Application Virtualization (App-V) Desktop Client requires no additional pro ### Hardware Requirements -The hardware requirements requirements are applicable to all versions. +The hardware requirements are applicable to all versions. - Processor—See recommended system requirements for the operating system you are using. @@ -177,7 +177,7 @@ The Application Virtualization (App-V) Client for Remote Desktop Services requir ### Hardware Requirements -The hardware requirements requirements are applicable to all versions. +The hardware requirements are applicable to all versions. - Processor—See recommended system requirements for the operating system you are using. diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md index 432f95693e..403b4c37a9 100644 --- a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md +++ b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md @@ -7,7 +7,7 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 06/16/2016 +ms.date: 06/15/2018 --- @@ -16,18 +16,17 @@ ms.date: 06/16/2016 In order to complete the **appv\_server\_setup.exe** Server setup successfully using the command line, you must specify and combine multiple parameters. -**To Install the App-V 5.0 server using a script** +Use the following tables for more information about installing the App-V 5.0 server using the command line. -- Use the following tables for more information about installing the App-V 5.0 server using the command line. +>[!NOTE]   +>The information in the following tables can also be accessed using the command line by typing the following command: +>``` +> appv\_server\_setup.exe /? +>``` - **Note**   - The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**. +## Common parameters and Examples -   - - **Common parameters and Examples** - - +
    @@ -67,10 +66,8 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   - - +
    @@ -109,11 +106,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u

    /EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”

    -
    +   -   - - +
    @@ -153,10 +148,8 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    - -   - - +   +
    @@ -191,9 +184,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   - - +
    @@ -228,9 +219,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   - - +
    @@ -255,9 +244,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   - - +
    @@ -298,9 +285,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   - - +
    @@ -339,9 +324,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   - - +
    @@ -380,9 +363,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   - - +
    @@ -417,9 +398,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   - - +
    @@ -454,13 +433,11 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   +## Parameter Definitions - **Parameter Definitions** +### General Parameters - **General Parameters** - - +
    @@ -503,11 +480,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   +### Management Server Installation Parameters - **Management Server Installation Parameters** - - +
    @@ -538,11 +513,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   +### Parameters for the Management Server Database - **Parameters for the Management Server Database** - - +
    @@ -585,11 +558,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   +### Parameters for Installing Publishing Server - **Parameters for Installing Publishing Server** - - +
    @@ -620,11 +591,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   +### Parameters for Reporting Server - **Parameters for Reporting Server** - - +
    @@ -653,9 +622,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u   - **Parameters for using an Existing Reporting Server Database** +### Parameters for using an Existing Reporting Server Database -
    +
    @@ -690,11 +659,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   +### Parameters for installing Reporting Server Database - **Parameters for installing Reporting Server Database** - - +
    @@ -733,11 +700,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
    -   +### Parameters for using an existing Management Server Database - **Parameters for using an existing Management Server Database** - - +
    @@ -770,15 +735,13 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u - - -

    Specifies the name of the existing management database that should be used. Example usage: /EXISITING_MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.

    Got a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).

    - -   + + + +   ## Related topics - [Deploying the App-V 5.0 Server](deploying-the-app-v-50-server.md)   diff --git a/mdop/index.md b/mdop/index.md index 2eabdc2716..ef4167770e 100644 --- a/mdop/index.md +++ b/mdop/index.md @@ -7,7 +7,7 @@ ms.pagetype: mdop ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/24/2018 --- # MDOP Information Experience @@ -36,14 +36,14 @@ The following table provides links to the product documentation for the MDOP pro

    AGPM 4.0 - Windows Vista SP1, Windows 7, Windows Server 2008, Windows Server 2008 R2

    AGPM 3.0- Windows Vista SP1, Windows Server 2008

    AGPM 2.5 - Windows Vista, Windows Server 2003

    -

    [Overview of Microsoft Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=232980)(https://go.microsoft.com/fwlink/p/?LinkId=232980)

    -

    [AGPM 4.0 SP3](https://technet.microsoft.com/library/mt346468.aspx) (https://technet.microsoft.com/library/mt346468.aspx)

    -

    [AGPM 4.0 SP2](https://go.microsoft.com/fwlink/p/?LinkId=325035) (https://go.microsoft.com/fwlink/p/?LinkId=325035)

    +

    [Overview of Microsoft Advanced Group Policy Management](agpm/index.md)

    +

    [AGPM 4.0 SP3](agpm/whats-new-in-agpm-40-sp3.md)

    +

    [AGPM 4.0 SP2](agpm/whats-new-in-agpm-40-sp2.md)

    [AGPM 4.0 SP1](https://go.microsoft.com/fwlink/p/?LinkId=286715) (https://go.microsoft.com/fwlink/p/?LinkId=286715)

    -

    [AGPM 4.0](https://go.microsoft.com/fwlink/p/?LinkId=232964) (https://go.microsoft.com/fwlink/p/?LinkId=232964)

    -

    [AGPM 3.0](https://go.microsoft.com/fwlink/p/?LinkId=232967) (https://go.microsoft.com/fwlink/p/?LinkId=232967)

    -

    [AGPM 2.5](https://go.microsoft.com/fwlink/p/?LinkId=232969) (https://go.microsoft.com/fwlink/p/?LinkId=232969)

    -

    [AGPM Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=232275) (https://go.microsoft.com/fwlink/p/?LinkId=232275)

    +

    [AGPM 4.0](agpm/whats-new-in-agpm-40-sp1.md)

    +

    [AGPM 3.0](agpm/whats-new-in-agpm-30.md)

    +

    [AGPM 2.5](agpm/agpm-25-navengl.md)

    +

    [AGPM Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=232275)

    Microsoft Application Virtualization (App-V) lets you make applications available to end user computers without installing the applications directly on those computers.

    @@ -57,14 +57,13 @@ The following table provides links to the product documentation for the MDOP pro

    [About Microsoft Application Virtualization 4.6 SP1](appv-v4/about-microsoft-application-virtualization-46-sp1.md)

    [About Microsoft Application Virtualization 4.6](appv-v4/about-microsoft-application-virtualization-46.md)

    [About Microsoft Application Virtualization 4.5](appv-v4/about-microsoft-application-virtualization-45.md)

    -

    [SoftGrid](https://go.microsoft.com/fwlink/p/?LinkId=232981) (https://go.microsoft.com/fwlink/p/?LinkId=232981)

    -

    [App-V Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=231902) (https://go.microsoft.com/fwlink/p/?LinkId=231902)

    +

    [App-V Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=231902)

    [App-V 5.0 eBooks](https://go.microsoft.com/fwlink/p/?LinkId=309570) (https://go.microsoft.com/fwlink/p/?LinkId=309570)

    Microsoft BitLocker Administration and Monitoring (MBAM) provides an administrative interface to enterprise-wide BitLocker drive encryption.

    [Microsoft BitLocker Administration and Monitoring 2.5](mbam-v25/index.md)

    -

    [MBAM 2.5 Video Demonstration: Deploying MBAM 2.5](https://go.microsoft.com/fwlink/?LinkId=518206) (https://go.microsoft.com/fwlink/?LinkId=518206)

    +

    [MBAM 2.5 Video Demonstration: Deploying MBAM 2.5](https://go.microsoft.com/fwlink/?LinkId=518206)

    [About MBAM 2.5 SP1](mbam-v25/about-mbam-25-sp1.md)

    [About MBAM 2.0 SP1](mbam-v2/about-mbam-20-sp1.md)

    [Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide](mbam-v2/index.md)

    @@ -105,7 +104,7 @@ The following table provides links to the product documentation for the MDOP pro

    [Microsoft Enterprise Desktop Virtualization 2.0](medv-v2/index.md)

    [About MED-V 1.0 SP1](medv-v1/about-med-v-10-sp1.md)

    [Microsoft Enterprise Desktop Virtualization 1.0](medv-v1/index.md)

    -

    [MED-V Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=231903) (https://go.microsoft.com/fwlink/p/?LinkId=231903)

    +

    Microsoft User Experience Virtualization (UE-V) captures settings to apply to computers accessed by the user including desktop computers, laptop computers, and VDI sessions.

    @@ -141,10 +140,6 @@ In addition to the product documentation available online, supplemental product - -

    MDOP Videos

    -

    For a list of available MDOP videos, go to [Microsoft Desktop Optimization Pack Technologies Videos](https://go.microsoft.com/fwlink/p/?LinkId=234275) (https://go.microsoft.com/fwlink/p/?LinkId=234275).

    -

    MDOP Virtual Labs

    For a list of available MDOP virtual labs, go to [Microsoft Desktop Optimization Pack (MDOP) Virtual Labs](https://go.microsoft.com/fwlink/p/?LinkId=234276) (https://go.microsoft.com/fwlink/p/?LinkId=234276).

    @@ -168,9 +163,6 @@ In addition to the product documentation available online, supplemental product MDOP is a suite of products that can help streamline desktop deployment, management, and support across the enterprise. MDOP is available as an additional subscription for Software Assurance customers. -**Evaluate MDOP** -MDOP is also available for test and evaluation to [MSDN](http://msdn.microsoft.com/subscriptions/downloads/default.aspx?PV=42:178) and [TechNet](http://technet.microsoft.com/subscriptions/downloads/default.aspx?PV=42:178) subscribers in accordance with MDSN and TechNet agreements. - **Download MDOP** MDOP subscribers can download the software at the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331). diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md new file mode 100644 index 0000000000..0fdf152e67 --- /dev/null +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -0,0 +1,28 @@ +--- +title: Applying hotfixes on MBAM 2.5 SP1 +description: Applying hotfixes on MBAM 2.5 SP1 +ms.author: ppriya-msft +author: intothedarkness +ms.assetid: +ms.pagetype: mdop, security +ms.mktglfcycl: manage +ms.sitesec: library +ms.prod: w10 +ms.date: 5/30/2018 +--- + +# Applying hotfixes on MBAM 2.5 SP1 +This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 + +### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 +[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126) + +#### Steps to update the MBAM Server for existing MBAM environment +1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features). +2. Remove MDOP MBAM from Control Panel | Programs and Features. +3. Install MBAM 2.5 SP1 RTM server components. +4. Install lastest MBAM 2.5 SP1 hotfix rollup. +5. Configure MBAM features using MBAM Server Configurator. + +#### Steps to install the new MBAM 2.5 SP1 server hotfix +Refer to the document for [new server installation](deploying-the-mbam-25-server-infrastructure.md). diff --git a/mdop/mbam-v25/getting-started-with-mbam-25.md b/mdop/mbam-v25/getting-started-with-mbam-25.md index 3513df82f6..a7ba39d226 100644 --- a/mdop/mbam-v25/getting-started-with-mbam-25.md +++ b/mdop/mbam-v25/getting-started-with-mbam-25.md @@ -20,8 +20,6 @@ See the following resources for additional MBAM documentation: - [Microsoft BitLocker Administration and Monitoring Deployment Guide](https://go.microsoft.com/fwlink/?LinkId=396653) -- [Microsoft Training Overview](https://go.microsoft.com/fwlink/p/?LinkId=80347) - Before you deploy MBAM to a production environment, we recommend that you validate your deployment plan in a test environment. ## Getting started with MBAM 2.5 diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md index ddeb99133d..2a97dc6cbb 100644 --- a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md +++ b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md @@ -7,20 +7,25 @@ ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 06/16/2016 +ms.date: 06/15/2018 --- - # How to Move the MBAM 2.5 Databases - -Use these procedures to move the following databases from one computer to another, that is, to move the databases from Server A to Server B: +Use these procedures to move the following databases from one computer to another; from Server A to Server B, for example: - Compliance and Audit Database - Recovery Database -If you are moving multiple features, move them in the following order: +>[!NOTE] +>It is important that the databases be restored to Machine B PRIOR to running the MBAM Configuration Wizard to update/configure them. + +If the databases are NOT present, the Configuration Wizard creates NEW, empty, databases. When your existing databases are then restored, this process will break the MBAM configuration. + +Restore the databases FIRST, then run the MBAM Configuration Wizard, choose the database option, and the Configuration Wizard will “connect” to the databases you restored; upgrading them if needed as part of the process. + +**If you are moving multiple features, move them in the following order:** 1. Recovery Database @@ -32,13 +37,10 @@ If you are moving multiple features, move them in the following order: 5. Self-Service Portal -**Note**   -To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions. - -  - -## Moving the Recovery Database +>[!Note] +>To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions. +## Move the Recovery Database The high-level steps for moving the Recovery Database are: @@ -46,473 +48,452 @@ The high-level steps for moving the Recovery Database are: 2. Back up the Recovery Database on Server A -3. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B +3. Move the Recovery Database from Server A to Server B -4. Move the Recovery Database from Server A to Server B +4. Restore the Recovery Database on Server B -5. Restore the Recovery Database on Server B +5. Configure access to the Database on Server B and update connection data -6. Configure access to the Database on Server B and update connection data +6. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B 7. Resume the instance of the Administration and Monitoring Website -**How to move the Recovery Database** +### How to move the Recovery Database -1. **Stop all instances of the MBAM Administration and Monitoring Website** +**Stop all instances of the MBAM Administration and Monitoring Website.** On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website. - - On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website. +To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following: - To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following: +```powershell +Stop-Website "Microsoft BitLocker Administration and Monitoring" - ``` syntax - PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring" - ``` +``` - **Note**   - To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. +>[!NOTE] +>To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. -   +### Back up the Recovery Database on Server A -2. **Install MBAM Server software and run the MBAM Server Configuration wizard on Server B** +1. Use the **Back Up** task in SQL Server Management Studio to back up the Recovery Database on Server A. By default, the database name is **MBAM Recovery Database**. - 1. Install the MBAM 2.5 Server software on Server B. For instructions, see [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md). +2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script, and change the MBAM Recovery Database to use the full recovery mode: - 2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Recovery Database** feature. + ``` + USE master; + + GO + + ALTER DATABASE "MBAM Recovery and Hardware" + + SET RECOVERY FULL; + + GO + + -- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices. + + USE master + + GO + + EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device', + + 'Z:\MBAM Recovery Database Data.bak'; + + GO + + -- Back up the full MBAM Recovery Database. + + BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device]; + + GO + + BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate] + + TO FILE = 'Z:\SQLServerInstanceCertificateFile' + + WITH PRIVATE KEY + + ( + + FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', + + ENCRYPTION BY PASSWORD = '$PASSWORD$' + + ); + + GO + ``` - Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Recovery Database. +3. Use the following value to replace the values in the code example with values that match your environment: - For instructions on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md). + **$PASSWORD$** - password that you use to encrypt the Private Key file. -3. **Back up the Recovery Database on Server A** +4. In Windows PowerShell, run the script that is stored in the file and similar to the following: - 1. Use the **Back Up** task in SQL Server Management Studio to back up the Recovery Database on Server A. By default, the database name is **MBAM Recovery Database**. + ```powershell + Invoke-Sqlcmd -InputFile + 'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ + ``` +5. Use the following value to replace the values in the code example with values that match your environment: - To automate this procedure, create a SQL file (.sql) that contains the following SQL script, and change the MBAM Recovery Database to use the full recovery mode: + **$SERVERNAME$\$SQLINSTANCENAME$** - server name and instance from which the Recovery Database will be backed up. - ``` syntax - USE master; - GO - ALTER DATABASE "MBAM Recovery and Hardware" - SET RECOVERY FULL; - GO - -- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices. - USE master - GO - EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device', - 'Z:\MBAM Recovery Database Data.bak'; - GO - -- Back up the full MBAM Recovery Database. - BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device]; - GO - BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate] - TO FILE = 'Z:\SQLServerInstanceCertificateFile' - WITH PRIVATE KEY - ( - FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - ENCRYPTION BY PASSWORD = '$PASSWORD$' - ); - GO - ``` +### Move the Recovery Database from Server A to Server B - Use the following value to replace the values in the code example with values that match your environment. +Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B. - **$PASSWORD$** - password that you will use to encrypt the Private Key file. +To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: - 2. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: +```powershell +Copy-Item “Z:\MBAM Recovery Database Data.bak” +\\$SERVERNAME$\$DESTINATIONSHARE$ - ``` syntax - PS C:\> Invoke-Sqlcmd -InputFile 'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ - ``` +Copy-Item “Z:\SQLServerInstanceCertificateFile” +\\$SERVERNAME$\$DESTINATIONSHARE$ - Use the following value to replace the values in the code example with values that match your environment: +Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey” +\\$SERVERNAME$\$DESTINATIONSHARE$ - **$SERVERNAME$\\$SQLINSTANCENAME$** - server name and instance from which the Recovery Database will be backed up. +``` +Use the information in the following table to replace the values in the code example with values that match your environment. -4. **Move the Recovery Database from Server A to Server B** +| **Parameter** | **Description** | +|----------------------|------------------| +| $SERVERNAME$ | Name of the server to which the files will be copied. | +| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. | - - Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B. - To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: +### Restore the Recovery Database on Server B - ``` syntax - PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak” \\$SERVERNAME$\$DESTINATIONSHARE$ - PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile” \\$SERVERNAME$\$DESTINATIONSHARE$ - PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey” \\$SERVERNAME$\$DESTINATIONSHARE$ - ``` +1. Restore the Recovery Database on Server B by using the **Restore Database** task in SQL Server Management Studio. - Use the information in the following table to replace the values in the code example with values that match your environment. +2. When the previous task finishes, select **From Device**, and then select the database backup file. - - - - - - - - - - - - - - - - - - - - - -
    ParameterDescription

    $SERVERNAME$

    Name of the server to which the files will be copied.

    $DESTINATIONSHARE$

    Name of the share and path to which the files will be copied.

    +3. Use the **Add** command to select the **MBAM Recovery Database Data.bak** file, and click **OK** to complete the restoration process. -   +4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script: -5. **Restore the Recovery Database on Server B** + ``` + -- Restore MBAM Recovery Database. - 1. Restore the Recovery Database on Server B by using the **Restore Database** task in SQL Server Management Studio. + USE master - 2. When the previous task finishes, select **From Device**, and then select the database backup file. + GO - 3. Use the **Add** command to select the **MBAM Recovery Database Data.bak** file, and click **OK** to complete the restoration process. + -- Drop certificate created by MBAM Setup. - To automate this procedure, create a SQL file (.sql) that contains the following SQL script: + DROP CERTIFICATE [MBAM Recovery Encryption Certificate] - ``` syntax - -- Restore MBAM Recovery Database. - USE master - GO - -- Drop certificate created by MBAM Setup. - DROP CERTIFICATE [MBAM Recovery Encryption Certificate] - GO - --Add certificate - CREATE CERTIFICATE [MBAM Recovery Encryption Certificate] - FROM FILE = 'Z: \SQLServerInstanceCertificateFile' - WITH PRIVATE KEY - ( - FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - DECRYPTION BY PASSWORD = '$PASSWORD$' - ); - GO - -- Restore the MBAM Recovery Database data and log files. - RESTORE DATABASE [MBAM Recovery and Hardware] - FROM DISK = 'Z:\MBAM Recovery Database Data.bak' - WITH REPLACE - ``` + GO - Use the following value to replace the values in the code example with values that match your environment. + --Add certificate - **$PASSWORD$** - password that you used to encrypt the Private Key file. + CREATE CERTIFICATE [MBAM Recovery Encryption Certificate] - 4. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: + FROM FILE = 'Z:\SQLServerInstanceCertificateFile' - ``` syntax - PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ - ``` + WITH PRIVATE KEY - Use the following value to replace the values in the code example with values that match your environment. + ( - **$SERVERNAME$\\$SQLINSTANCENAME$** - Server name and instance to which the Recovery Database will be restored. + FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', -6. **Configure access to the Database on Server B and update connection data** + DECRYPTION BY PASSWORD = '$PASSWORD$' - 1. Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process. + ); - If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user. + GO - 2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites. + -- Restore the MBAM Recovery Database data and log files. - 3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString** + RESTORE DATABASE [MBAM Recovery and Hardware] - 4. Update the **Data Source** value with the name of the server and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME) to which the Recovery Database was moved. + FROM DISK = 'Z:\MBAM Recovery Database Data.bak' - 5. Update the **Initial Catalog** value with the recovered database name. + WITH REPLACE + ``` - To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following: +5. Use the following value to replace the values in the code example with values that match your environment. - ``` syntax - PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f - PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;” - PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;” - ``` + **$PASSWORD$** - password that you used to encrypt the Private Key file. - **Note**   - This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server. +6. In Windows PowerShell, run the script that is stored in the file and similar to the following: -   + ```powershell + Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ + ``` +7. Use the following value to replace the values in the code example with values that match your environment. - Use the following table to replace the values in the code example with values that match your environment. + **$SERVERNAME$\$SQLINSTANCENAME$** - Server name and instance to which the Recovery Database will be restored. - - - - - - - - - - - - - - - - - - - - - -
    ParameterDescription

    $SERVERNAME$\$SQLINSTANCENAME$

    Server name and instance of SQL Server where the Recovery Database is located.

    $DATABASE$

    Name of the Recovery database.

    +### Configure access to the Database on Server B and update connection data -   +1. Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process. -7. **Resume the instance of the Administration and Monitoring Website** + >[!NOTE] + >If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user. - 1. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website. +2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites. - 2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: +3. Edit the following registry key: - ``` syntax - PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring" - ``` + **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString** - **Note**   - To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. +4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved. -   +5. Update the **Initial Catalog** value with the recovered database name. -## Moving the Compliance and Audit Database +6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following: + ```powershell + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v + RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial + Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f + + Set-WebConfigurationProperty + 'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath + "IIS:\sites\Microsoft Bitlocker Administration and + Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data + Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and + Hardware;Integrated Security=SSPI;” + + Set-WebConfigurationProperty + 'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' + -PSPath "IIS:\sites\Microsoft Bitlocker Administration and + Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value + "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery + and Hardware;Integrated Security=SSPI;” + ``` + + >[!Note] + >This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server. + + +7. Use the following table to replace the values in the code example with values that match your environment. + + |Parameter|Description| + |---------|-----------| + |$SERVERNAME$/\$SQLINSTANCENAME$|Server name and instance of SQL Server where the Recovery Database is located.| + |$DATABASE$|Name of the Recovery database.| + + +### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B + +1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software). + +2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Recovery Database** feature. For details on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases). + + >[!TIP] + >Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Recovery Database. + + +### Resume the instance of the Administration and Monitoring Website + +On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website. + +To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: + +```powershell +Start-Website "Microsoft BitLocker Administration and Monitoring" +``` + +>[!NOTE] +>To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. + +## Move the Compliance and Audit Database The high-level steps for moving the Compliance and Audit Database are: 1. Stop all instances of the MBAM Administration and Monitoring Website -2. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B +2. Back up the Compliance and Audit Database on Server A -3. Back up the Compliance and Audit Database on Server A +3. Move the Compliance and Audit Database from Server A to Server B -4. Move the Compliance and Audit Database from Server A to Server B +4. Restore the Compliance and Audit Database on Server B -5. Restore the Compliance and Audit Database on Server B +5. Configure access to the Database on Server B and update connection data -6. Configure access to the Database on Server B and update connection data +6. Install MBAM Server software and run the MBAM Server Configuration wizard on + Server B 7. Resume the instance of the Administration and Monitoring Website -**How to move the Compliance and Audit Database** +### How to move the Compliance and Audit Database -1. **Stop all instances of the MBAM Administration and Monitoring Website** +**Stop all instances of the MBAM Administration and Monitoring Website.** On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website. - - On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website. +To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following: - To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following: +```powershell +Stop-Website "Microsoft BitLocker Administration and Monitoring" - ``` syntax - PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring" - ``` +``` - **Note**   - To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. +>[!NOTE] +>To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. -   +### Back up the Compliance and Audit Database on Server A -2. **Install MBAM Server software and run the MBAM Server Configuration wizard on Server B** +1. Use the **Back Up** task in SQL Server Management Studio to back up the Compliance and Audit Database on Server A. By default, the database name is **MBAM Compliance Status Database**. - 1. Install the MBAM 2.5 Server software on Server B. For instructions, see [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md). +2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script: - 2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Compliance and Audit Database** feature. + ``` + USE master; - Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Compliance and Audit Database. + GO - For instructions on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md). + ALTER DATABASE "MBAM Compliance Status" -3. **Back up the Compliance and Audit Database on Server A** + SET RECOVERY FULL; - 1. Use the **Back Up** task in SQL Server Management Studio to back up the Compliance and Audit Database on Server A. By default, the database name is **MBAM Compliance Status Database**. + GO - To automate this procedure, create a SQL file (.sql) that contains the following SQL script: + -- Create MBAM Compliance Status Data logical backup devices. - ``` syntax - USE master; - GO - ALTER DATABASE "MBAM Compliance Status" - SET RECOVERY FULL; - GO - -- Create MBAM Compliance Status Data logical backup devices. - USE master - GO - EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device', - 'Z: \MBAM Compliance Status Database Data.bak'; - GO - -- Back up the full MBAM Compliance Recovery database. - BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device]; - GO - ``` + USE master - 2. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: + GO - ``` syntax - PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ - ``` + EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device', - Using the following value, replace the values in the code example with values that match your environment: + 'Z: \MBAM Compliance Status Database Data.bak'; - **$SERVERNAME$\\$SQLINSTANCENAME$** - server name and instance from which the Compliance and Audit Database will be backed up. + GO -4. **Move the Compliance and Audit Database from Server A to Server B** + -- Back up the full MBAM Compliance Recovery database. - - Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B. + BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device]; - To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: + GO - ``` syntax - PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak" \\$SERVERNAME$\$DESTINATIONSHARE$ - ``` + ``` - Using the following table, replace the values in the code example with values that match your environment. +3. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: - - - - - - - - - - - - - - - - - - - - - -
    ParameterDescription

    $SERVERNAME$

    Name of the server to which the files will be copied.

    $DESTINATIONSHARE$

    Name of the share and path to which the files will be copied.

    + ```powershell + Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ -   + ``` -5. **Restore the Compliance and Audit Database on Server B** +4. Using the following value, replace the values in the code example with values that match your environment: - 1. Restore the Compliance and Audit Database on Server B by using the **Restore Database** task in SQL Server Management Studio. + **$SERVERNAME$\$SQLINSTANCENAME$** - server name and instance from which the Compliance and Audit Database will be backed up. - 2. When the previous task finishes, select **From Device**, and then select the database backup file. +### Move the Compliance and Audit Database from Server A to Server B** - 3. Use the **Add** command to select the **MBAM Compliance Status Database Data.bak** file, and click **OK** to complete the restoration process. +1. Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B. - To automate this procedure, create a SQL file (.sql) that contains the following SQL script: +2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: - ``` syntax - -- Create MBAM Compliance Status Database Data logical backup devices. - Use master - GO - -- Restore the MBAM Compliance Status database data files. - RESTORE DATABASE [MBAM Compliance Status] - FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak' - WITH REPLACE - ``` + ```powershell + Copy-Item "Z:\MBAM Compliance Status Database Data.bak" + \\$SERVERNAME$\$DESTINATIONSHARE$ + ``` - 4. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following: +3. Using the following table, replace the values in the code example with values that match your environment. - ``` syntax - PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ - ``` + | **Parameter** | **Description** | + |----------------------|---------------------------------------------------------------| + | $SERVERNAME$ | Name of the server to which the files will be copied. | + | $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. | + - Using the following value, replace the values in the code example with values that match your environment. +### Restore the Compliance and Audit Database on Server B - **$SERVERNAME$\\$SQLINSTANCENAME$** - Server name and instance to which the Compliance and Audit Database will be restored. +1. Restore the Compliance and Audit Database on Server B by using the **Restore Database** task in SQL Server Management Studio. -6. **Configure access to the Database on Server B and update connection data** +2. When the previous task finishes, select **From Device**, and then select the database backup file. - 1. Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process. +3. Use the **Add** command to select the **MBAM Compliance Status Database Data.bak** file and click **OK** to complete the restoration process. - If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user. +4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script: - 2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website. + ``` + -- Create MBAM Compliance Status Database Data logical backup devices. - 3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString** + Use master - 4. Update the **Data Source** value with the name of the server and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME) to which the Recovery Database was moved. + GO - 5. Update the **Initial Catalog** value with the recovered database name. + -- Restore the MBAM Compliance Status database data files. - To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following: + RESTORE DATABASE [MBAM Compliance Status] - ``` syntax - PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f - ``` + FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak' - **Note**   - This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server. + WITH REPLACE -   + ``` - Using the following table, replace the values in the code example with values that match your environment. +5. In Windows PowerShell, run the script that is stored in the file and similar to the following: - - - - - - - - - - - - - - - - - - - - - -
    ParameterDescription

    $SERVERNAME$\$SQLINSTANCENAME$

    Server name and instance of SQL Server where the Recovery Database is located.

    $DATABASE$

    Name of the recovered database.

    + ```powershell + Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$ -   + ``` -7. **Resume the instance of the Administration and Monitoring Website** +6. Using the following value, replace the values in the code example with values that match your environment. - 1. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website. + **$SERVERNAME$\$SQLINSTANCENAME$** - Server name and instance to which the Compliance and Audit Database will be restored. - 2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: +### Configure access to the Database on Server B and update connection data - ``` syntax - PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring" - ``` +1. Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process. - **Note**   - To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. + >[!NOTE] + >If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user. -   +2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website. +3. Edit the following registry key: + **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString** -## Related topics +4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved. +5. Update the **Initial Catalog** value with the recovered database name. -[How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md) +6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following: -[Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md) + ```powershell + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v + ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial + Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f -[Moving MBAM 2.5 Features to Another Server](moving-mbam-25-features-to-another-server.md) + ``` + >[!NOTE] + >This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server. -  -  -## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). -- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). +7. Using the following table, replace the values in the code example with values that match your environment. + |Parameter | Description | + |---------|------------| + |$SERVERNAME$\$SQLINSTANCENAME$ | Server name and instance of SQL Server where the Recovery Database is located.| + |$DATABASE$|Name of the recovered database.| +### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B +1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software). +2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Compliance and Audit Database** feature. For details on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases). + + >[!TIP] + >Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Compliance and Audit Database. + + +### Resume the instance of the Administration and Monitoring Website + +On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website. + +To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: + +```powershell +Start-Website "Microsoft BitLocker Administration and Monitoring" + +``` + +>[!NOTE] +>To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. diff --git a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md index cc36387362..81fdf55268 100644 --- a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md +++ b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md @@ -7,7 +7,7 @@ ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 06/16/2016 +ms.date: 06/15/2018 --- @@ -34,178 +34,61 @@ The following image and table explain the features in an MBAM Stand-alone topolo ![mbab2\-5](images/mbam2-5-standalonecomponents.png) -Feature type -Feature -Description -Database - -Recovery Database - -This database stores recovery data that is collected from MBAM client computers. - -This feature is configured on a server running Windows Server and a supported SQL Server instance. - -Compliance and Audit Database - -This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts. - -This feature is configured on a server running Windows Server and a supported SQL Server instance. - -Compliance and Audit Reports - -Reporting Web Service - -This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored. - -This feature is installed on a server running Windows Server. - -Reporting Website (Administration and Monitoring Website) - -You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise. - -This feature is configured on a server running Windows Server. - -SQL Server Reporting Services (SSRS) - -Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website. - -This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS. - -Self-Service Server - -Self-Service Web Service - -This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database. - -This feature is installed on a computer running Windows Server. +|Feature type|Description|Database| +|-|-|-| +|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.| +|Compliance and Audit Database|This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts.|This feature is configured on a server running Windows Server and a supported SQL Server instance.| +|Compliance and Audit Reports||| +|Reporting Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored.|This feature is installed on a server running Windows Server.| +|Reporting Website (Administration and Monitoring Website)|You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise.|This feature is configured on a server running Windows Server.| +|SQL Server Reporting Services (SSRS)|Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website.|This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS.| +|Self-Service Server||| +|Self-Service Web Service|This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.| +|Self-Service Website (Self-Service Portal)|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.| +|Administration and Monitoring Server||| +|Administration and Monitoring Web Service|The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.|This feature is installed on a computer running Windows Server.| **Important**   The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database. -  - -Self-Service Website (Self-Service Portal) - -This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password. - -This feature is configured on a computer running Windows Server. - -Administration and Monitoring Server - -Administration and Monitoring Web Service - -The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases. - -This feature is installed on a computer running Windows Server. - **Important**   The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database. - -  - -Administration and Monitoring Website (also known as the Help Desk - -This Website is used by Help Desk users (users with the MBAM Report Users rights) to help end users regain access to their computers when they forget their PIN or password. - -This feature is configured on a computer running Windows Server. -   ## System Center Configuration Manager Integration topology - The following image and table explain the features in the System Center Configuration Manager Integration topology. ![mbam2\-5](images/mbam2-5-cmcomponents.png) -Feature type -Feature -Description -Self-Service Server - -Self-Service Web Service - -This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database. - -This feature is installed on a computer running Windows Server. - **Important**   The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database. -  - -Self-Service Website - -This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password. - -This feature is configured on a computer running Windows Server. - -Administration and Monitoring Server/Recovery Audit Report - -Administration and Monitoring Web Service - -This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored. - -This feature is installed on a server running Windows Server. - **Warning**   The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database. -  - -Administration and Monitoring Website - -The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services. - -This feature is configured on a server running Windows Server. - -Databases - -Recovery Database - -This database stores recovery data that is collected from MBAM client computers. - -This feature is configured on a server running Windows Server and a supported SQL Server instance. - -Audit Database - -This database stores audit information about recovery attempts and activity. - -This feature is configured on a server running Windows Server and a supported SQL Server instance. - -Configuration Manager Features - -Configuration Manager Management console - -This console is built into Configuration Manager and is used to view reports. - -For viewing reports only, this feature can be installed on any server or client computer. - -Configuration Manager Reports - -Reports show compliance and recovery audit data for client computers in your enterprise. - -The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS. - -SQL Server Reporting Services - -SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console. - -SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS. - -  - +|Feature type|Description| +|-|-| +|Self-Service Server||| +|Self-Service Web Service|This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.| +|Self-Service Website|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.| +|Administration and Monitoring Server/Recovery Audit Report||| +|Administration and Monitoring Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.|This feature is installed on a server running Windows Server.| +|Administration and Monitoring Website|The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.|This feature is configured on a server running Windows Server.| +|Databases||| +|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.| +|Audit Database|This database stores audit information about recovery attempts and activity.|This feature is configured on a server running Windows Server and a supported SQL Server instance.| +|Configuration Manager Features||| +|Configuration Manager Management console|This console is built into Configuration Manager and is used to view reports.|For viewing reports only, this feature can be installed on any server or client computer.| +|Configuration Manager Reports|Reports show compliance and recovery audit data for client computers in your enterprise.|The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.| +|SQL Server Reporting Services|SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.|SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.| ## Related topics - [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md) [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md) -  - -  ## Got a suggestion for MBAM? - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 2a9e37642f..84fc7c8df0 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -58,6 +58,10 @@ To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlin Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. +- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) + + Guide of how to apply MBAM 2.5 SP1 Server hotfixes + ## Got a suggestion for MBAM? - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index 1c9cdc239c..db4b4232a6 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -284,7 +284,7 @@ MBAM supports the following versions of Configuration Manager. -

    Microsoft System Center Configuration Manager (Current Branch), version 1610

    +

    Microsoft System Center Configuration Manager (Current Branch), versions up to 1806

    64-bit

    @@ -335,11 +335,16 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll + +

    Microsoft SQL Server 2017

    +

    Standard, Enterprise, or Datacenter

    +

    +

    64-bit

    Microsoft SQL Server 2016

    Standard, Enterprise, or Datacenter

    SP1

    -

    64-bit

    +https://www.microsoft.com/en-us/download/details.aspx?id=54967

    64-bit

    Microsoft SQL Server 2014

    Standard, Enterprise, or Datacenter

    @@ -359,6 +364,8 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll +**Note** +In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 and to support SQL 2017 you must install the July 2018 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=57157. In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.   ### SQL Server processor, RAM, and disk space requirements – Stand-alone topology @@ -462,6 +469,12 @@ The following table lists the operating systems that are supported for MBAM Clie + +

    Windows 10 IoT

    +

    Enterprise

    +

    +

    32-bit or 64-bit

    +

    Windows 10

    Enterprise

    @@ -516,6 +529,12 @@ The following table lists the operating systems that are supported for MBAM Grou + +

    Windows 10 IoT

    +

    Enterprise

    +

    +

    32-bit or 64-bit

    +

    Windows 10

    Enterprise

    diff --git a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md index 6fb8a41a78..a39802e24b 100644 --- a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md @@ -136,10 +136,12 @@ Digging this further with Fiddler – it does look like once we click on Reports **Workaround:** Looking at the site.master code and noticed the X-UA mode was dictated as IE8. As IE8 is WAY past the end of life, and customer is using IE11. Update the setting to the below code. This allows the site to utilize IE11 rendering technologies - + Original setting is: - + + + This is the reason why the issue was not seen with other browsers like Chrome, Firefox etc. diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md index a838e4c9c7..b183080d0a 100644 --- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md +++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md @@ -7,7 +7,7 @@ ms.pagetype: mdop ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w8 -ms.date: 07/26/2017 +ms.date: 06/15/2018 --- @@ -18,7 +18,6 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa ## MDOP Group Policy templates - **How to download and deploy the MDOP Group Policy templates** 1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) @@ -28,17 +27,15 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa **Warning**   Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file. -   - 3. In the extracted folder, locate the technology-version .admx file. Certain MDOP technologies have multiple sets of Group Policy Objects (GPOs). For example, MBAM includes MBAM Management settings and MBAM User settings. 4. Locate the appropriate .adml file by language-culture (that is, *en-us* for English-United States). 5. Copy the .admx and .adml files to a policy definition folder. Depending on where you store the templates, you can configure Group Policy settings from the local device or from any computer on the domain. - **Local files:** To configure Group Policy settings from the local device, copy template files to the following locations: + - **Local files:** To configure Group Policy settings from the local device, copy template files to the following locations: - +
    @@ -61,11 +58,9 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
    -   + - **Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller: - **Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller: - - +
    @@ -89,9 +84,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
    -   - -6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology. +6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology. ### MDOP Group Policy by technology diff --git a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md index ca1329c6b0..6cb5d4878e 100644 --- a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md +++ b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md @@ -23,7 +23,7 @@ UE-V 2.1 SP1 adds support for Windows 10, in addition to the same software that ### Compatibility with Microsoft Azure -Windows 10 lets enterprise users synchronize Windows app settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V on on-premises domain-joined computers only. To enable coexistence between Windows 10 and UE-V, you must disable the following UE-V templates using either PowerShell on each client or Group Policy. +Windows 10 lets enterprise users synchronize Windows app settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V for on-premises domain-joined computers only. To enable coexistence between Windows 10 and UE-V, you must disable the following UE-V templates using either PowerShell on each client or Group Policy. In Group Policy, under the Microsoft User Experience Virtualization node, configure these policy settings: diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index 00362cf711..4aeb7727cb 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -11,6 +11,7 @@ ms.sitesec: library ms.pagetype: smb author: CelesteDG ms.date: 10/30/2017 +ms.localizationpriority: medium --- # Get started: Deploy and manage a full cloud IT solution for your business diff --git a/smb/index.md b/smb/index.md index a74d8f9e0a..3f7bb09bc7 100644 --- a/smb/index.md +++ b/smb/index.md @@ -11,6 +11,7 @@ ms.sitesec: library ms.pagetype: smb author: CelesteDG ms.date: 05/01/2017 +ms.localizationpriority: medium --- # Windows 10 for SMB diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md index 5bd846269f..9709bdc21e 100644 --- a/store-for-business/TOC.md +++ b/store-for-business/TOC.md @@ -21,7 +21,7 @@ ### [Manage access to private store](manage-access-to-private-store.md) ### [Manage private store settings](manage-private-store-settings.md) ### [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) -### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) +### [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) ### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) ### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) ## [Device Guard signing portal](device-guard-signing-portal.md) diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index 3c59ec92f0..0aa8fe3acc 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -6,8 +6,10 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 11/01/2017 -ms.localizationpriority: high +ms.author: TrudyHa +ms.date: 08/01/2017 +ms.topic: conceptual +ms.localizationpriority: medium --- # Acquire apps in Microsoft Store for Business and Education @@ -41,22 +43,31 @@ There are a couple of things we need to know when you pay for apps. You can add **To manage Allow users to shop setting** 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) -2. Click **Manage**, and then click **Settings**. -3. On **Shop**, turn on or turn off **Allow users to shop**. +2. Select **Manage**, and then select **Settings**. +3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**. ![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png) +## Allow app requests + +People in your org can request license for apps that they need, or that others need. When **All app requests** is turned on, app requests are sent to org admins. Admins for your tenant will receive an email with the request, and can decide about making the purchase. + +**To manage All app requests** +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) +2. Select **Manage**, and then select **Settings**. +3. On **Shop**, under **Shopping behavior** turn on or turn off **Allow app requests**. + ## Acquire apps **To acquire an app** 1. Sign in to http://businessstore.microsoft.com -2. Click **Shop**, or use Search to find an app. -3. Click the app you want to purchase. +2. Select **Shop for my group**, or use Search to find an app. +3. Select the app you want to purchase. 4. On the product description page, choose your license type - either online or offline. -5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**. -6. If you don’t have a payment method saved in **Billing - Payment methods**, we will prompt you for one. -7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**. +5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and select **Next**. +6. If you don’t have a payment method saved in **Billing & payments**, we will prompt you for one. +7. Add your credit card or debit card info, and select **Next**. Your card info is saved as a payment option on **Billing & payments - Payment methods**. -You’ll also need to have your business address saved on **Billing - Account profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information). +You’ll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information). Microsoft Store adds the app to your inventory. From **Products & services**, you can: - Distribute the app: add to private store, or assign licenses @@ -65,12 +76,4 @@ Microsoft Store adds the app to your inventory. From **Products & services**, yo For info on distributing apps, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md). -For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). - -## Request apps -People in your org can request additional licenses for apps that are in your organization's private store. When **Allow app requests** is turned on, people in your org can respond to a notification about app license availability. Admins for your tenant will receive an email with the request, and can decide about making the purchase. - -**To manage Allow app requests** -1. Sign in to http://businessstore.microsoft.com -2. Click **Manage**, click **Settings**, and then click **Distribute**. -3. Under **Private store** turn on, or turn off **Allow app requests**. \ No newline at end of file +For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). \ No newline at end of file diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md index ceac52581f..8c447d9f6a 100644 --- a/store-for-business/add-profile-to-devices.md +++ b/store-for-business/add-profile-to-devices.md @@ -1,6 +1,6 @@ --- -title: Manage Windows device deployment with Windows AutoPilot Deployment -description: Add an AutoPilot profile to devices. AutoPilot profiles control what is included in Windows set up experience for your employees. +title: Manage Windows device deployment with Windows Autopilot Deployment +description: Add an Autopilot profile to devices. Autopilot profiles control what is included in Windows set up experience for your employees. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -8,58 +8,59 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.date: 2/9/2018 -ms.localizationpriority: high +ms.topic: conceptual +ms.localizationpriority: medium --- -# Manage Windows device deployment with Windows AutoPilot Deployment +# Manage Windows device deployment with Windows Autopilot Deployment **Applies to** - Windows 10 -Windows AutoPilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows AutoPilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). +Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). -Watch this video to learn more about Windows AutoPilot in Micrsoft Store for Business.
    +Watch this video to learn more about Windows Autopilot in Micrsoft Store for Business.
    > [!video https://www.microsoft.com/en-us/videoplayer/embed/3b30f2c2-a3e2-4778-aa92-f65dbc3ecf54?autoplay=false] -## What is Windows AutoPilot? -In Microsoft Store for Business, you can manage devices for your organization and apply an *AutoPilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. +## What is Windows Autopilot? +In Microsoft Store for Business, you can manage devices for your organization and apply an *Autopilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. -You can create and apply AutoPilot deployment profiles to these devices. The overall process looks like this. +You can create and apply Autopilot deployment profiles to these devices. The overall process looks like this. -![Block diagram with main steps for using AutoPilot in Microsoft Store for Business: upload device list; group devices (this step is optional); add profile; and apply profile.](images/autopilot-process.png) +![Block diagram with main steps for using Autopilot in Microsoft Store for Business: upload device list; group devices (this step is optional); add profile; and apply profile.](images/autopilot-process.png) -Figure 1 - Windows AutoPilot Deployment Program process +Figure 1 - Windows Autopilot Deployment Program process -AutoPilot deployment profiles have two main parts: default settings that can't be changed, and optional settings that you can include. +Autopilot deployment profiles have two main parts: default settings that can't be changed, and optional settings that you can include. -### AutoPilot deployment profiles - default settings -These settings are configured with all AutoPilot deployment profiles: +### Autopilot deployment profiles - default settings +These settings are configured with all Autopilot deployment profiles: - Skip Cortana, OneDrive, and OEM registration setup pages - Automatically setup for work or school - Sign in experience with company or school brand -### AutoPilot deployment profiles - optional settings -These settings are off by default. You can turn them on for your AutoPilot deployment profiles: +### Autopilot deployment profiles - optional settings +These settings are off by default. You can turn them on for your Autopilot deployment profiles: - Skip privacy settings -### Support for AutoPilot profile settings -AutoPilot profile settings are supported beginning with the version of Windows they were introduced in. This table summarizes the settings and what they are supported on. +### Support for Autopilot profile settings +Autopilot profile settings are supported beginning with the version of Windows they were introduced in. This table summarizes the settings and what they are supported on. | Setting | Supported on | | ------- | ------------- | | Deployment default features| Windows 10, version 1703 or later | | Skip privacy settings | Windows 10, version 1703 or later | | Disable local admin account creation on the device | Windows 10, version 1703 or later | -| Skip End User License Agreement (EULA) | Windows 10, version 1709 or later.
    [Learn about Windows AutoPilot EULA dismissal](https://docs.microsoft.com/windows/deployment/Windows-AutoPilot-EULA-note) | +| Skip End User License Agreement (EULA) | Windows 10, version 1709 or later.
    [Learn about Windows Autopilot EULA dismissal](https://docs.microsoft.com/windows/deployment/Windows-Autopilot-EULA-note) | -## Windows AutoPilot deployment profiles in Microsoft Store for Business and Education +## Windows Autopilot deployment profiles in Microsoft Store for Business and Education You can manage new devices in Microsoft Store for Business or Microsoft Store for Education. Devices need to meet these requirements: - Windows 10, version 1703 or later - New devices that have not been through Windows out-of-box experience. -## Add devices and apply AutoPilot deployment profile +## Add devices and apply Autopilot deployment profile To manage devices through Microsoft Store for Business and Education, you'll need a .csv file that contains specific information about the devices. You should be able to get this from your Microsoft account contact, or the store where you purchased the devices. Upload the .csv file to Microsoft Store to add the devices. ### Device information file format @@ -72,7 +73,7 @@ Here's a sample device information file: ![Notepad file showing example entries for Column A (Device Serial Number), Column B (Windows Product ID), and Column C (Hardware Hash).](images/msfb-autopilot-csv.png) -When you add devices, you need to add them to an *AutoPilot deployment group*. Use these groups to apply AutoPilot deployment profiles to a group of devices. The first time you add devices to a group, you'll need to create an AutoPilot deployment group. +When you add devices, you need to add them to an *Autopilot deployment group*. Use these groups to apply Autopilot deployment profiles to a group of devices. The first time you add devices to a group, you'll need to create an Autopilot deployment group. > [!NOTE] > You can only add devices to a group when you add devices to **Microsoft Store for Business and Education**. If you decide to reorganize devices into different groups, you'll need to delete them from **Devices** in **Microsoft Store**, and add them again. @@ -81,50 +82,50 @@ When you add devices, you need to add them to an *AutoPilot deployment group*. U 1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Devices**. 3. Click **Add devices**, navigate to the *.csv file and select it. -4. Type a name for a new AutoPilot deployment group, or choose one from the list, and then click **Add**.
    +4. Type a name for a new Autopilot deployment group, or choose one from the list, and then click **Add**.
    If you don't add devices to a group, you can select the individual devices to apply a profile to.
    ![Screenshot of Add devices to a group dialog. You can create a new group, or select a current group.](images/add-devices.png)
    -5. Click the devices or AutoPilot deployment group that you want to manage. You need to select devices before you can apply an AutoPilot deployment profile. You can switch between seeing groups or devices by clicking **View groups** or **View devices**. +5. Click the devices or Autopilot deployment group that you want to manage. You need to select devices before you can apply an Autopilot deployment profile. You can switch between seeing groups or devices by clicking **View groups** or **View devices**. -**Apply AutoPilot deployment profile** -1. When you have devices selected, click **AutoPilot deployment**. -2. Choose the AutoPilot deployment profile to apply to the selected devices. +**Apply Autopilot deployment profile** +1. When you have devices selected, click **Autopilot deployment**. +2. Choose the Autopilot deployment profile to apply to the selected devices. > [!NOTE] - > The first time you use AutoPilot deployment profiles, you'll need to create one. See [Create AutoPilot profile](#create-autopilot-profile). + > The first time you use Autopilot deployment profiles, you'll need to create one. See [Create Autopilot profile](#create-autopilot-profile). 3. Microsoft Store for Business applies the profile to your selected devices, and shows the profile name on **Devices**. -## Manage AutoPilot deployment profiles -You can manage the AutoPilot deployment profiles created in Microsoft Store. You can create a new profile, edit, or delete a profile. +## Manage Autopilot deployment profiles +You can manage the Autopilot deployment profiles created in Microsoft Store. You can create a new profile, edit, or delete a profile. -### Create AutoPilot profile +### Create Autopilot profile 1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Devices**. -3. Click **AutoPilot deployment**, and then click **Create new profile**. +3. Click **Autopilot deployment**, and then click **Create new profile**. 4. Name the profile, choose the settings to include, and then click **Create**.
    -The new profile is added to the **AutoPilot deployment** list. +The new profile is added to the **Autopilot deployment** list. -### Edit or delete AutoPilot profile +### Edit or delete Autopilot profile 1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Devices**. -3. Click **AutoPilot deployment**, click **Edit your profiles**, and then choose the profile to edit. +3. Click **Autopilot deployment**, click **Edit your profiles**, and then choose the profile to edit. TBD: art 4. Change settings for the profile, and then click **Save**.
    -or-
    Click **Delete profile** to delete the profile. -## Apply a different AutoPilot deployment profile to devices -After you've applied an AutoPilot deployment profile to a device, if you decide to apply a different profile, you can remove the profile and apply a new profile. +## Apply a different Autopilot deployment profile to devices +After you've applied an Autopilot deployment profile to a device, if you decide to apply a different profile, you can remove the profile and apply a new profile. > [!NOTE] > The new profile will only be applied if the device has not been started, and gone through the out-of-box experience. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. -## AutoPilot device information file error messages -Here's info on some of the errors you might see while working with AutoPilot deployment profiles in **Microsoft Store for Business and Education**. +## Autopilot device information file error messages +Here's info on some of the errors you might see while working with Autopilot deployment profiles in **Microsoft Store for Business and Education**. | Message Id | Message explanation | | ---------- | ------------------- | @@ -135,6 +136,6 @@ Here's info on some of the errors you might see while working with AutoPilot dep | wadp005 | Check your .csv file with your device provider. One of the devices on your list has been claimed by another organization. | | wadp006 | Try that again. Something happened on our end. Waiting a bit might help. | | wadp007 | Check the info for this device in your .csv file. The device is already registered in your organization. | -| wadp008 | The device does not meet AutoPilot Deployment requirements. | +| wadp008 | The device does not meet Autopilot Deployment requirements. | | wadp009 | Check with your device provider for an update .csv file. The current file doesn’t work | | wadp010 | Try that again. Something happened on our end. Waiting a bit might help. | diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index 74835df001..247ff479fa 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store, security author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md index 2471527f23..b15ad00612 100644 --- a/store-for-business/app-inventory-management-microsoft-store-for-business.md +++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md @@ -8,7 +8,8 @@ ms.sitesec: library ms.pagetype: store author: TrudyHa ms.author: TrudyHa -ms.date: 10/16/2017 +ms.topic: conceptual +ms.date: 06/07/2018 --- # App inventory management for Microsoft Store for Business and Education @@ -99,9 +100,10 @@ If you decide that you don't want an app available for employees to install on t **To remove an app from the private store** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Apps & software**. -3. Find an app, click the ellipses under **Action**, choose **Remove from private store**, and then click **Remove**. +1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Products & services**. +3. Find an app, click the ellipses, choose **Remove from private store**, and then click **Remove**. +4. Choose the private store collection, and then under **In collection**, switch to **Off**. The app will still be in your inventory, but your employees will not have access to the app from your private store. @@ -109,7 +111,7 @@ The app will still be in your inventory, but your employees will not have access 1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Inventory**. -3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. +3. Find an app, click the ellipses, and then choose **Assign to people**. 4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**. diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md index c1dd888a79..3e9934ad89 100644 --- a/store-for-business/apps-in-microsoft-store-for-business.md +++ b/store-for-business/apps-in-microsoft-store-for-business.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md index 0b7230b467..9fadbfd8e6 100644 --- a/store-for-business/assign-apps-to-employees.md +++ b/store-for-business/assign-apps-to-employees.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/13/2017 --- diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md index 9cbc2e2676..de12fe9dbc 100644 --- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md +++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 1/6/2018 --- diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 19d5c5bfa6..f63f3ef6f6 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store, security author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index 2228ac8f3e..1806050398 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 3/19/2018 --- @@ -19,7 +21,7 @@ ms.date: 3/19/2018 - Windows 10 - Windows 10 Mobile -The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Micrsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. +The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. You can make an app available in your private store when you acquire the app, or you can do it later from your inventory. Once the app is in your private store, employees can claim and install the app. diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md index cab6dfb6e3..ecc09aa00e 100644 --- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md +++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/13/2017 --- diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md index 34e541c6e4..ed8eff5bb0 100644 --- a/store-for-business/distribute-apps-with-management-tool.md +++ b/store-for-business/distribute-apps-with-management-tool.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 0aacda9288..2f445c4301 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md index 4de95964bc..b97c30604a 100644 --- a/store-for-business/education/TOC.md +++ b/store-for-business/education/TOC.md @@ -26,7 +26,7 @@ ### [Manage access to private store](/microsoft-store/manage-access-to-private-store?toc=/microsoft-store/education/toc.json) ### [Manage private store settings](/microsoft-store/manage-private-store-settings?toc=/microsoft-store/education/toc.json) ### [Configure MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business?toc=/microsoft-store/education/toc.json) -### [Manage Windows device deployment with Windows AutoPilot Deployment](/microsoft-store/add-profile-to-devices?toc=/microsoft-store/education/toc.json) +### [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices?toc=/microsoft-store/education/toc.json) ### [Microsoft Store for Business and Education PowerShell module - preview](/microsoft-store/microsoft-store-for-business-education-powershell-module?toc=/microsoft-store/education/toc.json) ### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](/microsoft-store/manage-mpsa-software-microsoft-store-for-business?toc=/microsoft-store/education/toc.json) ## [Device Guard signing portal](/microsoft-store/device-guard-signing-portal?toc=/microsoft-store/education/toc.json) diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md index 99e13fa7c0..d1c2b7f688 100644 --- a/store-for-business/find-and-acquire-apps-overview.md +++ b/store-for-business/find-and-acquire-apps-overview.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/images/edu-icon.png b/store-for-business/images/edu-icon.png new file mode 100644 index 0000000000..49009f7085 Binary files /dev/null and b/store-for-business/images/edu-icon.png differ diff --git a/store-for-business/index.md b/store-for-business/index.md index 5c2990c742..71a8c271d1 100644 --- a/store-for-business/index.md +++ b/store-for-business/index.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa +ms.author: TrudyHa +ms.topic: conceptual ms.localizationpriority: high ms.date: 10/17/2017 --- diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 9b10d08550..dcf2a8f992 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa +ms.author: TrudyHa +ms.topic: conceptual ms.date: 10/17/2017 --- @@ -30,7 +32,7 @@ Organizations can use either an MDM policy, or Group Policy to show only their p ## Show private store only using MDM policy -Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports Microsoft Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#ApplicationManagement_RequirePrivateStoreOnly) policy. +Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports Microsoft Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#ApplicationManagement_RequirePrivateStoreOnly) policy. **ApplicationManagement/RequirePrivateStoreOnly** policy is supported on the following Windows 10 editions: - Enterprise diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md index 5f765d2f3c..5c9f41f018 100644 --- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md +++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- @@ -28,6 +30,6 @@ Manage products and services in Microsoft Store for Business and Microsoft Store | [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md) | You can manage all apps that you've acquired on your **Apps & software** page. | | [Manage private store settings](manage-private-store-settings.md) | The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. | | [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) | For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Microsoft Store management tool services work with your third-party management tool to manage content. | -| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. | +| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. | | [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | Use PowerShell cmdlets to automate basic app license assignment. | | [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) | Software purchased with the Microsoft Products and Services Agreement (MPSA) can be managed in Microsoft Store for Business and Education. This allows customers to manage online software purchases in one location. | \ No newline at end of file diff --git a/store-for-business/manage-mpsa-software-microsoft-store-for-business.md b/store-for-business/manage-mpsa-software-microsoft-store-for-business.md index 970b3c783f..37ab81c66d 100644 --- a/store-for-business/manage-mpsa-software-microsoft-store-for-business.md +++ b/store-for-business/manage-mpsa-software-microsoft-store-for-business.md @@ -6,7 +6,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 3/20/2018 --- diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 2bc147f08b..12d927fce2 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -6,7 +6,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 11/10/2017 --- @@ -53,7 +55,7 @@ Reclaim licenses, and then request a refund. If you haven't assigned licenses, s 1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. 3. Find the app you want to refund, click the ellipses under **Actions**, and then choose **View license details**. -4. Select the the people who you want to reclaim license from, click the ellipses under **Actions**, and then choose **Reclaim licenses**. +4. Select the people who you want to reclaim license from, click the ellipses under **Actions**, and then choose **Reclaim licenses**. 5. Click **Order history**, click the order you want to refund, and click **Refund order**. For free apps, the app will be removed from your inventory in **Apps & software**. diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index e851331cdb..1462bb3ee3 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -7,8 +7,10 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa +ms.author: TrudyHa +ms.topic: conceptual ms.date: 3/29/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # Manage private store settings @@ -96,9 +98,9 @@ We've recently made performance improvements for changes in the private store. T | Action | Estimated time | | ------------------------------------------------------ | -------------- | -| Add a product to the private store
    - Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory.
    - It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab
    - 36 hours: searchable in private store
    - 36 hours: available on private store tab, if the product has just been added to inventory | +| Add a product to the private store
    - Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory.
    - It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab
    - 36 hours: searchable in private store
    - 36 hours: searchable in private store tab | | Remove a product from private store | - 15 minutes: private store tab
    - 36 hours: searchable in private store | -| Accept a new LOB app into your inventory (under **Products & services)**) | 36 hours | +| Accept a new LOB app into your inventory (under **Products & services)**) | - 15 minutes: available on private store tab
    - 36 hours: searchable in private store | | Create a new collection | 15 minutes| | Edit or remove a collection | 15 minutes | | Create private store tab | 4-6 hours | diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md index 7462859380..995d597ff5 100644 --- a/store-for-business/manage-settings-microsoft-store-for-business.md +++ b/store-for-business/manage-settings-microsoft-store-for-business.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md index 800ab20f14..7d6006d776 100644 --- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md +++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- @@ -35,8 +37,8 @@ For more information on Azure AD, see [About Office 365 and Azure Active Directo ## Add user accounts to your Azure AD directory If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-microsoft-store-for-business.md) -You can use the [Office 365 admin dashboard](https://go.microsoft.com/fwlink/p/?LinkId=708616) or [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=691086) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617). +You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=691086) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617). For more information, see: -- [Add user accounts using Office 365 admin dashboard](https://go.microsoft.com/fwlink/p/?LinkId=708618) -- [Add user accounts using Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708619) \ No newline at end of file +- [Add user accounts using Office 365 admin dashboard](https://support.office.com/en-us/article/add-users-individually-or-in-bulk-to-office-365-admin-help-1970f7d6-03b5-442f-b385-5880b9c256ec) +- [Add user accounts using Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708619) diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index acc4768d86..889c27f140 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -6,7 +6,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.author: ms.date: 10/22/2017 --- diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index 3dd01700a4..276c980fae 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -7,7 +7,9 @@ ms.pagetype: store, mobile ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index 57ea2652f3..478fb68e22 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -8,7 +8,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 48adf681cf..890829a7d5 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/13/2017 --- diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 74fcb9bd83..aa159ddffe 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -6,7 +6,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 4/26/2018 +ms.author: TrudyHa +ms.topic: conceptual +ms.date: 07/31/2018 --- # Microsoft Store for Business and Education release history @@ -15,6 +17,18 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## June 2018 +- **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. +- **Performance improvements in private store** - We continue to work on performance improvements in the private store. Now, most products new to your inventory are available in your private store within 15 minutes of adding them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) + +## May 2018 +- **Immersive Reader app available in Microsoft Store for Education** - This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. + +## April 2018 +- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses. +- **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. +- **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. + ## March 2018 - **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) - **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. @@ -43,7 +57,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store ## September 2017 -- **Manage Windows device deployment with Windows AutoPilot Deployment** - In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the AutoPilot deployment profile you applied to the device. [Get more info](add-profile-to-devices.md) +- **Manage Windows device deployment with Windows Autopilot Deployment** - In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device. [Get more info](add-profile-to-devices.md) - **Request an app** - People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps) - **My organization** - **My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account. - **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index e5c032895c..22e03ceda8 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -7,8 +7,10 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high -ms.date: 3/30/2018 +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium +ms.date: 8/7/2018 --- # Roles and permissions in Microsoft Store for Business and Education @@ -29,10 +31,11 @@ This table lists the global user accounts and the permissions they have in Micro | | Global Administrator | Billing Administrator | | ------------------------------ | --------------------- | --------------------- | -| Sign up for Microsoft Store for Business and Education | X | | +| Sign up for Microsoft Store for Business and Education | X | | Modify company profile settings | X | | | Acquire apps | X | X | | Distribute apps | X | X | +| Purchase subscription-based software | X | X |   - **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. @@ -41,7 +44,7 @@ This table lists the global user accounts and the permissions they have in Micro ## Microsoft Store roles and permissions -Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. +Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. This table lists the roles and their permissions. diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md index 334a1f8ed5..9e45080286 100644 --- a/store-for-business/settings-reference-microsoft-store-for-business.md +++ b/store-for-business/settings-reference-microsoft-store-for-business.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 11/01/2017 --- diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md index ebc071d22a..7f99708123 100644 --- a/store-for-business/sfb-change-history.md +++ b/store-for-business/sfb-change-history.md @@ -7,8 +7,9 @@ ms.sitesec: library ms.pagetype: store author: TrudyHa ms.author: TrudyHa +ms.topic: conceptual ms.date: 4/26/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # Change history for Microsoft Store for Business and Microsoft Store for Education @@ -49,7 +50,7 @@ ms.localizationpriority: high | New or changed topic | Description | | --- | --- | -| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | Update. Add profile settings with supported build info. | +| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | Update. Add profile settings with supported build info. | | [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update | ## September 2017 @@ -78,7 +79,7 @@ ms.localizationpriority: high   | New or changed topic | Description | | -------------------- | ----------- | -| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | New. Information about Windows AutoPilot Deployment Program and how it is used in Microsoft Store for Business and Education. | +| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education. | | [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |   diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index c042b9fa38..29c8a0abe7 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store, security author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md index cf0109c335..8a9212cf86 100644 --- a/store-for-business/sign-up-microsoft-store-for-business-overview.md +++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/13/2017 --- diff --git a/store-for-business/sign-up-microsoft-store-for-business.md b/store-for-business/sign-up-microsoft-store-for-business.md index 2de6dc6f94..7ee9e453ff 100644 --- a/store-for-business/sign-up-microsoft-store-for-business.md +++ b/store-for-business/sign-up-microsoft-store-for-business.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index cc5eefa7a5..197eeba1a0 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/13/2017 --- diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md index 26d293ea41..9b5502382f 100644 --- a/store-for-business/update-microsoft-store-for-business-account-settings.md +++ b/store-for-business/update-microsoft-store-for-business-account-settings.md @@ -6,7 +6,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 10/17/2017 --- diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index cca4d43519..3f6676128a 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -6,7 +6,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 4/26/2018 +ms.author: TrudyHa +ms.topic: conceptual +ms.date: 07/31/2018 --- # What's new in Microsoft Store for Business and Education @@ -15,27 +17,34 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**April 2018** - -| | | -|--------------------------------------|---------------------------------| -| ![License assign icon](images/license-assign-icon.png) |**Assign apps to larger groups**

    We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | -| ![Private store icon](images/private-store-icon.png) |**Change collection order in private store**

    Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections.

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | -| ![Office logo icon](images/office-logo.png) |**Office 365 subscription management**

    We know that sometimes customers need to cancel subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period.

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | +**July 2018** +We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new feature ## Previous releases and updates +[June 2018](release-history-microsoft-store-business-education.md#june-2018) +- Change order within private store collection +- Performance improvements in private store + +[May 2018](release-history-microsoft-store-business-education.md#may-2018) +- Immersive Reading app available in Microsoft Store for Education + +[April 2018](release-history-microsoft-store-business-education.md#april-2018) +- Assign apps to larger groups +- Change collection order in private store +- Office 365 subscription management + [March 2018](release-history-microsoft-store-business-education.md#march-2018) - Performance improvements in private store - Private store collection updates @@ -57,14 +66,13 @@ We’ve been working on bug fixes and performance improvements to provide you a - Bug fixes and performance improvements [October 2017](release-history-microsoft-store-business-education.md#october-2017) -- Bug fixes and permformance improvements +- Bug fixes and performance improvements [September 2017](release-history-microsoft-store-business-education.md#september-2017) -- Manage Windows device deployment with Windows AutoPilot Deployment +- Manage Windows device deployment with Windows Autopilot Deployment - Request an app - My organization - Manage prepaid Office 365 subscriptions - Manage Office 365 subscriptions acquired by partners - Edge extensions in Microsoft Store -- Search results in Microsoft Store for Business - +- Search results in Microsoft Store for Business \ No newline at end of file diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 0c12c3b9f9..36b1eedf64 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.localizationpriority: high +ms.author: TrudyHa +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 3/19/2018 --- diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index 310d18137e..b3f1796488 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -4,6 +4,7 @@ ## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) ## [Understand apps in Windows 10](apps-in-windows-10.md) ## [Add apps and features in Windows 10](add-apps-and-features.md) +### [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) @@ -108,3 +109,4 @@ ## [Disabling System Services in Windows Server](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server) ## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) ## [Change history for Application management](change-history-for-application-management.md) +## [How to keep apps removed from Windows 10 from returning during an update](remove-provisioned-apps-during-update.md) \ No newline at end of file diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md index d7320eab03..3b11a9431b 100644 --- a/windows/application-management/add-apps-and-features.md +++ b/windows/application-management/add-apps-and-features.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: article ms.author: elizapo author: lizap -ms.localizationpriority: low +ms.localizationpriority: medium ms.date: 04/26/2018 --- # How to add apps and features to Windows 10 diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md index c2421f0918..f0f2f8eb1a 100644 --- a/windows/application-management/app-v/appv-about-appv.md +++ b/windows/application-management/app-v/appv-about-appv.md @@ -6,7 +6,7 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/18/2018 +ms.date: 06/08/2018 --- # What's new in App-V for Windows 10, version 1703 and earlier diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md index 7a031ea941..c5a7ad334d 100644 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md @@ -1,40 +1,34 @@ --- title: How to Add or Remove an Administrator by Using the Management Console (Windows 10) -description: How to Add or Remove an Administrator by Using the Management Console +description: How to add or remove an administrator by using the Management Console author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/08/2018 --- +# How to add or remove an administrator by using the Management Console - -# How to Add or Remove an Administrator by Using the Management Console - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 Use the following procedures to add or remove an administrator on the Microsoft Application Virtualization (App-V) server. -**To add an administrator using the Management Console** +## Add an administrator using the Management Console -1. Open the Microsoft Application Virtualization (App-V) Management Console and click **Administrators** in the navigation pane. The navigation pane displays a list of Access Directory (AD) users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server. +1. Open the Microsoft Application Virtualization (App-V) Management Console and select **Administrators** in the navigation pane. The navigation pane will display a list of Access Directory (AD) users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server. +2. To add a new administrator, select **Add Administrator**. Enter the name of the administrator that you want to add in the **Active Directory Name** field. Make sure to also provide the associated user account domain name. For example, **Domain** \\ **UserName**. +3. Select the account you want to add and select **Add**. The new account should now appear in the list of server administrators. -2. To add a new administrator, click **Add Administrator** Type the name of the administrator that you want to add in the **Active Directory Name** field. Ensure you provide the associated user account domain name. For example, **Domain** \\ **UserName**. +## Remove an administrator using the Management Console -3. Select the account that you want to add and click **Add**. The new account is displayed in the list of server administrators. - -**To remove an administrator using the Management Console** - -1. Open the Microsoft Application Virtualization (App-V) Management Console and click **Administrators** in the navigation pane. The navigation pane displays a list of AD users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server. - -2. Right-click the account to be removed from the list of administrators and select **Remove**. +1. Open the Microsoft Application Virtualization (App-V) Management Console and select **Administrators** in the navigation pane. The navigation pane displays a list of AD users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server. +2. Right-click the account to be removed from the list of administrators and select **Remove**. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md index 19131f8521..0ae1a703c8 100644 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md @@ -1,49 +1,44 @@ --- title: How to Add or Upgrade Packages by Using the Management Console (Windows 10) -description: How to Add or Upgrade Packages by Using the Management Console +description: How to add or upgrade packages by using the Management Console author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/08/2018 --- +# How to add or upgrade packages by using the Management Console +>Applies to: Windows 10, version 1607 -# How to Add or Upgrade Packages by Using the Management Console +You can use the following procedure to add or upgrade a package to the App-V Management Console. To upgrade a package that already exists in the Management Console, use the following steps and import the upgraded package using the same package **Name**. -**Applies to** -- Windows 10, version 1607 +## Add a package to the Management Console -You can the following procedure to add or upgrade a package to the App-V Management Console. To upgrade a package that already exists in the Management Console, use the following steps and import the upgraded package using the same package **Name**. - -**To add a package to the Management Console** - -1. Click the **Packages** tab in the navigation pane of the Management Console display. +1. Select the **Packages** tab in the navigation pane of the Management Console display. The console displays the list of packages that have been added to the server along with status information about each package. When a package is selected, detailed information about the package is displayed in the **PACKAGES** pane. - Click the **Ungrouped** drop-down list box and specify how the packages are to be displayed in the console. You can also click the associated column header to sort the packages. + Select the **Ungrouped** drop-down list box and specify how the packages are to be displayed in the console. You can also click the associated column header to sort the packages. -2. To specify the package you want to add, click **Add or Upgrade Packages**. +2. Select **Add or Upgrade Packages** to specify which package you want to add. -3. Type the full path to the package that you want to add. Use the UNC or HTTP path format, for example **\\\\servername\\sharename\\foldername\\packagename.appv** or **https://server.1234/file.appv**, and then click **Add**. +3. Enter the full path to the package that you want to add. Use the UNC or HTTP path format, for example **\\\\servername\\sharename\\foldername\\packagename.appv** or **http://server.1234/file.appv**, and then select **Add**. - **Important**   - You must select a package with the **.appv** file name extension. + >[!IMPORTANT] + >You must select a package with the **.appv** file name extension. -   +4. The page displays the status message **Adding <Packagename>**. Select **IMPORT STATUS** to check the status of a package that you have imported. -4. The page displays the status message **Adding <Packagename>**. Click **IMPORT STATUS** to check the status of a package that you have imported. + Select **OK** to add the package and close the **Add Package** page. If there was an error during the import, select **Detail** on the **Package Import** page for more information. The newly added package is now available in the **PACKAGES** pane. - Click **OK** to add the package and close the **Add Package** page. If there was an error during the import, click **Detail** on the **Package Import** page for more information. The newly added package is now available in the **PACKAGES** pane. - -5. Click **Close** to close the **Add or Upgrade Packages** page. +5. Select **Close** to close the **Add or Upgrade Packages** page. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md index a27ad2dd60..b6cf8bf3d3 100644 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md @@ -1,137 +1,53 @@ --- -title: Administering App-V by Using Windows PowerShell (Windows 10) +title: Administering App-V by using Windows PowerShell (Windows 10) description: Administering App-V by Using Windows PowerShell author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/08/2018 --- +# Administering App-V by using Windows PowerShell +>Applies to: Windows 10, version 1607 -# Administering App-V by Using Windows PowerShell +Microsoft Application Virtualization (App-V) supports Windows PowerShell cmdlets that give administrators a quick and easy way to manage App-V. The following sections will tell you more about how to use Windows PowerShell with App-V. -**Applies to** -- Windows 10, version 1607 +## How to administer App-V with Windows PowerShell -Microsoft Application Virtualization (App-V) provides Windows PowerShell cmdlets, which can help administrators perform various App-V tasks. The following sections provide more information about using Windows PowerShell with App-V. +The following table lists articles that will tell you more about how to use PowerShell for App-V. -## How to administer App-V by using Windows PowerShell +|Name|Description| +|---|---| +|[How to load the Windows PowerShell cmdlets for App-V and get cmdlet help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)|Describes how to install the Windows PowerShell cmdlets and find cmdlet help and examples.| +|[How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)|Describes how to manage the client package lifecycle on a stand-alone computer with Windows PowerShell.| +|[How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)|Describes how to manage connection groups with Windows PowerShell.| +|[How to modify client configuration by using Windows PowerShell](appv-modify-client-configuration-with-powershell.md)|Describes how to modify the client with Windows PowerShell.| +|[How to apply the user configuration file by using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)|Describes how to apply a user configuration file with Windows PowerShell.| +|[How to apply the deployment configuration file by using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)|Describes how to apply a deployment configuration file with Windows PowerShell.| +|[How to sequence a package by using Windows PowerShell](appv-sequence-a-package-with-powershell.md)|Describes how to create a new package with Windows PowerShell.| +|[How to create a package accelerator by using Windows PowerShell](appv-create-a-package-accelerator-with-powershell.md)|Describes how to create a package accelerator with Windows PowerShell. You can use package accelerators to automatically sequence large, complex applications.| +|[How to enable reporting on the App-V client by using Windows PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md)|Describes how to enable the computer running the App-V Client to send reporting information.| +|[How to install the App-V databases and convert the associated security identifiers by using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)|Describes how to take an array of account names and to convert each of them to the corresponding SID in standard and hexadecimal formats.| +|[How to configure the client to receive package and connection groups updates from the publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)|Describes how to use Windows PowerShell to configure a client after you have deployed the App-V management and publishing servers and added the required packages and connection groups.| +>[!IMPORTANT] +>Make sure that any script you execute with your App-V packages matches the execution policy that you have configured for Windows PowerShell. -Use the following Windows PowerShell procedures to perform various App-V tasks. +## Windows PowerShell error handling - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameDescription

    [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)

    Describes how to install the Windows PowerShell cmdlets and find cmdlet help and examples.

    [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)

    Describes how to manage the client package lifecycle on a stand-alone computer by using Windows PowerShell.

    [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)

    Describes how to manage connection groups by using Windows PowerShell.

    [How to Modify Client Configuration by Using Windows PowerShell](appv-modify-client-configuration-with-powershell.md)

    Describes how to modify the client by using Windows PowerShell.

    [How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)

    Describes how to apply a user configuration file by using Windows PowerShell.

    [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)

    Describes how to apply a deployment configuration file by using Windows PowerShell.

    [How to Sequence a Package by Using Windows PowerShell](appv-sequence-a-package-with-powershell.md)

    Describes how to create a new package by using Windows PowerShell.

    [How to Create a Package Accelerator by Using Windows PowerShell](appv-create-a-package-accelerator-with-powershell.md)

    Describes how to create a package accelerator by using Windows PowerShell. You can use package accelerators automatically sequence large, complex applications.

    [How to Enable Reporting on the App-V Client by Using Windows PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md)

    Describes how to enable the computer running the App-V to send reporting information.

    [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)

    Describes how to take an array of account names and to convert each of them to the corresponding SID in standard and hexadecimal formats.

    [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) -

    Describes how to use Windows PowerShell to configure a client after you deploy the App-V management and publishing servers, and add the required packages and connection groups.

    +The following table describes Windows PowerShell error handling for App-V. -  - -**Important**   -Make sure that any script you execute with your App-V packages matches the execution policy that you have configured for Windows PowerShell. - -  - -## Windows PowerShell Error Handling - - -Use the following table for information about Windows PowerShell error handling for App-V. - - ---- - - - - - - - - - - - - - - - - -
    EventAction

    Using the RollbackOnError attribute with embedded scripts

    When you use the RollbackOnError attribute with embedded scripts, the attribute is ignored for the following events:

    -
      -

    • Removing a package

      • -

    • Unpublishing a package

      • -

    • Terminating a virtual environment

      • -

    • Terminating a process

      • -

    Package name contains $

    If a package name contains the character ( $ ), you must use a single-quote ( ' ), for example,

    -

    Add-AppvClientPackage 'Contoso$App.appv'

    - -  +|Event|Action| +|---|---| +|Using the **RollbackOnError** attribute with embedded scripts|When you use the **RollbackOnError** attribute with embedded scripts, the attribute is ignored for the following events:
    - Removing a package
    - Unpublishing a package
    - Terminating a virtual environment
    - Terminating a process| +|Package name contains **$**|If a package name contains the character \$\, you must use a single-quote ( **'** ).
    For example:
    ```Add-AppvClientPackage 'Contoso$App.appv'```| ## Have a suggestion for App-V? - -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics - -[Operations for App-V](appv-operations.md) +* [Operations for App-V](appv-operations.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md index ff218061cc..a7662c1689 100644 --- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md +++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md @@ -1,116 +1,60 @@ --- -title: Administering App-V Virtual Applications by Using the Management Console (Windows 10) -description: Administering App-V Virtual Applications by Using the Management Console +title: Administering App-V Virtual Applications by using the Management Console (Windows 10) +description: Administering App-V Virtual Applications by using the Management Console author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/08/2018 --- +# Administering App-V Virtual Applications by using the Management Console +>Applies to: Windows 10, version 1607 -# Administering App-V Virtual Applications by Using the Management Console - -**Applies to** -- Windows 10, version 1607 - -Use the Microsoft Application Virtualization (App-V) management server to manage packages, connection groups, and package access in your environment. The server publishes application icons, shortcuts, and file type associations to authorized computers that run the App-V client. One or more management servers typically share a common data store for configuration and package information. +Use the Microsoft Application Virtualization (App-V) management server to manage packages, connection groups, and package access in your environment. The server publishes application icons, shortcuts, and file type associations to authorized computers running the App-V client. One or more management servers typically share a common data store for configuration and package information. The management server uses Active Directory Domain Services (AD DS) groups to manage user authorization and has SQL Server installed to manage the database and data store. Because the management servers stream applications to end users on demand, these servers are ideally suited for system configurations that have reliable, high-bandwidth LANs. The management server consists of the following components: -- Management Server – Use the management server to manage packages and connection groups. - -- Publishing Server – Use the publishing server to deploy packages to computers that run the App-V client. - -- Management Database - Use the management database to manage the package access and to publish the server’s synchronization with the management server. +- The **management server** manages packages and connection groups. +- The **publishing server** deploys packages to computers running the App-V Client. +- The **management database** manages the package access publishes the server’s synchronization with the management server. ## Management Console tasks +Here are some articles that can show you how to perform the most common tasks that the App-V Management Console is used for: -The most common tasks that you can perform with the App-V Management console are: - -- [How to Connect to the Management Console](appv-connect-to-the-management-console.md) - -- [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) - -- [How to Configure Access to Packages by Using the Management Console](appv-configure-access-to-packages-with-the-management-console.md) - -- [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md) - -- [How to Delete a Package in the Management Console](appv-delete-a-package-with-the-management-console.md) - -- [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md) - -- [How to Register and Unregister a Publishing Server by Using the Management Console](appv-register-and-unregister-a-publishing-server-with-the-management-console.md) - -- [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md) - -- [How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console](appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md) - -- [How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console](appv-customize-virtual-application-extensions-with-the-management-console.md) - -- [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console](appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md) +- [How to connect to the Management Console](appv-connect-to-the-management-console.md) +- [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) +- [How to configure access to packages by using the Management Console](appv-configure-access-to-packages-with-the-management-console.md) +- [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md) +- [How to delete a package in the Management Console](appv-delete-a-package-with-the-management-console.md) +- [How to add or remove an administrator by using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md) +- [How to register and unregister a publishing server by using the Management Console](appv-register-and-unregister-a-publishing-server-with-the-management-console.md) +- [How to create a custom configuration file by using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md) +- [How to transfer access and configurations to another version of a package by using the Management Console](appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md) +- [How to customize virtual application extensions for a specific AD group by using the Management Console](appv-customize-virtual-application-extensions-with-the-management-console.md) +- [How to view and configure applications and default virtual application extensions by using the Management Console](appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md) The main elements of the App-V Management Console are: - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    Management Console tabDescription

    Packages tab

    Use the PACKAGES tab to add or upgrade packages.

    Connection Groups tab

    Use the CONNECTION GROUPS tab to manage connection groups.

    Servers tab

    Use the SERVERS tab to register a new server.

    Administrators tab

    Use the ADMINISTRATORS tab to register, add, or remove administrators in your App-V environment.

    +|Management Console tab|Description| +|---|---| +|Packages tab|Use the **Packages** tab to add or upgrade packages.| +|Connection Groups tab|Use the **Connection Groups** tab to manage connection groups.| +|Servers tab|Use the **Servers** tab to register a new server.| +|Administrators tab|Use the **Administrators** tab to register, add, or remove administrators in your App-V environment.| -  - -**Important**   -JavaScript must be enabled on the browser that opens the Web Management Console. - -  +>[!IMPORTANT] +>The browser you're using to open the Web Management Console must have JavaScript enabled. ## Have a suggestion for App-V? +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Other resources for this App-V deployment - - -- [Application Virtualization (App-V) overview](appv-for-windows.md) - -- [Operations for App-V](appv-operations.md) - -  - -  - - - - +## Other resources for this App-V deployment +- [Application Virtualization (App-V) overview](appv-for-windows.md) +- [Operations for App-V](appv-operations.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md index f97ca1f36d..36c4204881 100644 --- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md +++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md @@ -6,56 +6,28 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/08/2018 --- +# How to allow only administrators to enable connection groups +>Applies to: Windows 10, version 1607 -# How to Allow Only Administrators to Enable Connection Groups +You can configure the App-V client so that only administrators, not users, can enable or disable connection groups. In earlier versions of App-V, there was no way to restrict access to disabling connection groups to users. -**Applies to** -- Windows 10, version 1607 - -You can configure the App-V client so that only administrators (not end users) can enable or disable connection groups. In earlier versions of App-V, you could not prevent end users from performing these tasks. - -**Note**
    -This feature is supported starting in App-V 5.0 SP3. +>[!NOTE] +>This feature is supported starting in App-V 5.0 SP3. Use one of the following methods to allow only administrators to enable or disable connection groups. - ---- - - - - - - - - - - - - - - - - -
    MethodSteps

    Group Policy setting

    Enable the “Require publish as administrator” Group Policy setting, which is located in the following Group Policy Object node:

    -

    Computer Configuration > Administrative Templates > System > App-V > Publishing

    Windows PowerShell cmdlet

    Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.

    -

    Parameter values:

    -
      -

    • 0 - False

      • -

    • 1 - True

      • -
    -

    Example: Set-AppvClientConfiguration -RequirePublishAsAdmin 1

    +|Method|Steps| +|---|---| +|Group Policy setting|Enable the “Require publish as administrator” Group Policy setting, which is located in the following Group Policy Object node:

    **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**| +|Windows PowerShell cmdlet|Run the **Set-AppvClientConfiguration** cmdlet with the *-RequirePublishAsAdmin* parameter.

    Parameter values:
    - **0** – False
    - **1** – True

    Example: ```Set-AppvClientConfiguration -RequirePublishAsAdmin 1```| ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Managing Connection Groups](appv-managing-connection-groups.md) +- [Managing Connection Groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 4674fddc02..9ef9c0bee3 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -1,235 +1,129 @@ --- title: Application Publishing and Client Interaction (Windows 10) -description: Application Publishing and Client Interaction +description: Application publishing and client interaction. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/08/2018 --- +# Application publishing and client interaction +>Applies to: Windows 10, version 1607 -# Application Publishing and Client Interaction - -**Applies to** -- Windows 10, version 1607 - -This article provides technical information about common App-V client operations and their integration with the local operating system. +This article provides technical information about common App-V Client operations and their integration with the local operating system. ## App-V package files created by the Sequencer - The Sequencer creates App-V packages and produces a virtualized application. The sequencing process creates the following files: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FileDescription

    .appv

      -

    • The primary package file, which contains the captured assets and state information from the sequencing process.

      • -

    • Architecture of the package file, publishing information, and registry in a tokenized form that can be reapplied to a machine and to a specific user upon delivery.

      • -

    .MSI

    Executable deployment wrapper that you can use to deploy .appv files manually or by using a third-party deployment platform.

    _DeploymentConfig.XML

    File used to customize the default publishing parameters for all applications in a package that is deployed globally to all users on a computer that is running the App-V client.

    _UserConfig.XML

    File used to customize the publishing parameters for all applications in a package that is a deployed to a specific user on a computer that is running the App-V client.

    Report.xml

    Summary of messages resulting from the sequencing process, including omitted drivers, files, and registry locations.

    .CAB

    Optional: Package accelerator file used to automatically rebuild a previously sequenced virtual application package.

    .appvt

    Optional: Sequencer template file used to retain commonly reused Sequencer settings.

    +|File|Description| +|---|---| +|.appv|- The primary package file, which contains captured assets and state information from the sequencing process.
    - Architecture of the package file, publishing information, and registry in a tokenized form that can be reapplied to a machine and to a specific user upon delivery.| +|.MSI|Executable deployment wrapper that you can use to deploy .appv files manually or by using a third-party deployment platform.| +|_DeploymentConfig.XML|File used to customize the default publishing parameters for all applications in a package that is deployed globally to all users on a computer that is running the App-V Client.| +|_UserConfig.XML|File used to customize the publishing parameters for all applications in a package that is a deployed to a specific user on a computer that is running the App-V Client.| +|Report.xml|Summary of messages resulting from the sequencing process, including omitted drivers, files, and registry locations.| +|.CAB|Optional: Package accelerator file used to automatically rebuild a previously sequenced virtual application package.| +|.appvt|Optional: Sequencer template file used to retain commonly reused Sequencer settings.| -For information about sequencing, see [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md). +To learn more about sequencing, see [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md). ## What’s in the appv file? - The appv file is a container that stores XML and non-XML files together in a single entity. This file is built from the AppX format, which is based on the Open Packaging Conventions (OPC) standard. -To view the appv file contents, make a copy of the package, and then rename the copied file to a ZIP extension. +To view the appv file contents, make a copy of the package, and then rename the copied file to a .zip extension. The appv file contains the following folder and files, which are used when creating and publishing a virtual application: | Name | Type | Description | -| - | - | - | -| Root | File folder | Directory that contains the file system for the virtualized application that is captured during sequencing. | -| [Content_Types].xml | XML File | List of the core content types in the appv file (e.g. DLL, EXE, BIN). | +|---|---|---| +| Root | File folder | Directory that contains the file system for the virtualized application captured during sequencing. | +| [Content_Types].xml | XML File | List of the core content types in the appv file (for example, DLL, EXE, BIN). | | AppxBlockMap.xml | XML File | Layout of the appv file, which uses File, Block, and BlockMap elements that enable location and validation of files in the App-V package.| | AppxManifest.xml | XML File | Metadata for the package that contains the required information for adding, publishing, and launching the package. Includes extension points (file type associations and shortcuts) and the names and GUIDs associated with the package.| -| FilesystemMetadata.xml | XML File | List of the files captured during sequencing, including attributes (e.g., directories, files, opaque directories, empty directories,and long and short names). | +| FilesystemMetadata.xml | XML File | List of the files captured during sequencing, including attributes (such as directories, files, opaque directories, empty directories, and long and short names). | | PackageHistory.xml | XML File | Information about the sequencing computer (operating system version, Internet Explorer version, .Net Framework version) and process (upgrade, package version).| | Registry.dat | DAT File | Registry keys and values captured during the sequencing process for the package.| | StreamMap.xml | XML File | List of files for the primary and publishing feature block. The publishing feature block contains the ICO files and required portions of files (EXE and DLL) for publishing the package. When present, the primary feature block includes files that have been optimized for streaming during the sequencing process.| -  +## App-V Client data storage locations -## App-V client data storage locations - -The App-V client performs tasks to ensure that virtual applications run properly and work like locally installed applications. The process of opening and running virtual applications requires mapping from the virtual file system and registry to ensure the application has the required components of a traditional application expected by users. This section describes the assets that are required to run virtual applications and lists the location where App-V stores the assets. +The App-V Client performs tasks to keep virtual applications running properly and working like locally installed applications. The process of opening and running virtual applications requires mapping from the virtual file system and registry to ensure the application has the required components of a traditional application expected by users. This section describes the assets that are required to run virtual applications and lists the location where App-V stores the assets. | Name | Location | Description | -| - | - | - | -| Package Store | %ProgramData%\App-V| Default location for read only package files| -| Machine Catalog | %ProgramData%\Microsoft\AppV\Client\Catalog| Contains per-machine configuration documents| -| User Catalog | %AppData%\Microsoft\AppV\Client\Catalog| Contains per-user configuration documents| -| Shortcut Backups | %AppData%\Microsoft\AppV\Client\Integration\ShortCutBackups| Stores previous integration points that enable restore on package unpublish| -| Copy on Write (COW) Roaming | %AppData%\Microsoft\AppV\Client\VFS| Writeable roaming location for package modification| -| Copy on Write (COW) Local | %LocalAppData%\Microsoft\AppV\Client\VFS| Writeable non-roaming location for package modification| -| Machine Registry | HKLM\Software\Microsoft\AppV| Contains package state information, including VReg for machine or globally published packages (Machine hive)| -| User Registry | HKCU\Software\Microsoft\AppV| Contains user package state information including VReg| -| User Registry Classes | HKCU\Software\Classes\AppV| Contains additional user package state information| +|---|---|---| +| Package Store | %ProgramData%\App-V| Default location for read-only package files.| +| Machine Catalog | %ProgramData%\Microsoft\AppV\Client\Catalog| Contains per-machine configuration documents.| +| User Catalog | %AppData%\Microsoft\AppV\Client\Catalog| Contains per-user configuration documents.| +| Shortcut Backups | %AppData%\Microsoft\AppV\Client\Integration\ShortCutBackups| Stores previous integration points that enable restore on package unpublish.| +| Copy on Write (COW) Roaming | %AppData%\Microsoft\AppV\Client\VFS| Writeable roaming location for package modification.| +| Copy on Write (COW) Local | %LocalAppData%\Microsoft\AppV\Client\VFS| Writeable non-roaming location for package modification.| +| Machine Registry | HKLM\Software\Microsoft\AppV| Contains package state information, including VReg for machine or globally published packages (Machine hive).| +| User Registry | HKCU\Software\Microsoft\AppV| Contains user package state information including VReg.| +| User Registry Classes | HKCU\Software\Classes\AppV| Contains additional user package state information.| Additional details for the table are provided in the section below and throughout the document. ### Package store -The App-V Client manages the applications assets mounted in the package store. This default storage location is `%ProgramData%\App-V`, but you can configure it during or after setup by using the `Set-AppVClientConfiguration` Windows PowerShell cmdlet, which modifies the local registry (`PackageInstallationRoot` value under the `HKLM\Software\Microsoft\AppV\Client\Streaming` key). The package store must be located at a local path on the client operating system. The individual packages are stored in the package store in subdirectories named for the Package GUID and Version GUID. +The App-V Client manages the applications assets mounted in the package store. This default storage location is %ProgramData%\App-V, but you can configure it during or after setup by using the **Set-AppVClientConfiguration** Windows PowerShell cmdlet, which modifies the local registry (**PackageInstallationRoot** value under the HKLM\Software\Microsoft\AppV\Client\Streaming key). The package store must be located at a local path on the client operating system. The individual packages are stored in the package store in subdirectories named after the Package GUID and Version GUID. -Example of a path to a specific application: +The following is an example of a path to a specific application: -``` syntax -C:\ProgramData\App-V\PackGUID\VersionGUID +```syntax +C:\ProgramData\App-V\PackGUID\VersionGUID ``` To change the default location of the package store during setup, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). ### Shared Content Store -If the App-V Client is configured in Shared Content Store mode, no data is written to disk when a stream fault occurs, which means that the packages require minimal local disk space (publishing data). The use of less disk space is highly desirable in VDI environments, where local storage can be limited, and streaming the applications from a high performance network location (such as a SAN) is preferable. For more information, see [Shared Content Store in Microsoft App-V 5.0 - Behind the Scenes](https://blogs.technet.microsoft.com/appv/2013/07/22/shared-content-store-in-microsoft-app-v-5-0-behind-the-scenes/). +If the App-V Client is configured in Shared Content Store mode, no data is written to disk when a stream fault occurs, which means that the packages require minimal local disk space (publishing data). In VDI environments where local storage can be limited, it's important to use as little disk space as possible. You can minimize disk space usage by streaming applications from a high-performance network location (such as a SAN). For more information, see [Shared Content Store in Microsoft App-V 5.0 - Behind the Scenes](https://blogs.technet.microsoft.com/appv/2013/07/22/shared-content-store-in-microsoft-app-v-5-0-behind-the-scenes/). -> [!NOTE] -> The machine and package store must be located on a local drive, even when you’re using Shared Content Store configurations for the App-V Client. - -  +>[!NOTE] +>The machine and package store must be located on a local drive, even when you’re using Shared Content Store configurations for the App-V Client. ### Package catalogs The App-V Client manages the following two file-based locations: -- **Catalogs (user and machine).** - -- **Registry locations** - depends on how the package is targeted for publishing. There is a Catalog (data store) for the computer, and a catalog for each individual user. The Machine Catalog stores global information applicable to all users or any user, and the User Catalog stores information applicable to a specific user. The Catalog is a collection of Dynamic Configurations and manifest files; there is discrete data for both file and registry per package version.  +- **Catalogs (user and machine).** +- **Registry locations**—depends on how the package is targeted for publishing. There is a Catalog (data store) for the computer, and a catalog for each individual user. The Machine catalog stores global information applicable to all users or any specific user, and the User catalog stores information applicable to a specific user. The catalog is a collection of Dynamic Configurations and manifest files; there is discrete data for both file and registry per package version. ### Machine catalog - ---- - - - - - - - - - - - - - - - - - - - - - - -

    Description

    Stores package documents that are available to users on the machine, when packages are added and published. However, if a package is “global” at publishing time, the integrations are available to all users.

    -

    If a package is non-global, the integrations are published only for specific users, but there are still global resources that are modified and visible to anyone on the client computer (e.g., the package directory is in a shared disk location).

    -

    If a package is available to a user on the computer (global or non-global), the manifest is stored in the Machine Catalog. When a package is published globally, there is a Dynamic Configuration file, stored in the Machine Catalog; therefore, the determination of whether a package is global is defined according to whether there is a policy file (UserDeploymentConfiguration file) in the Machine Catalog.

    Default storage location

    %programdata%\Microsoft\AppV\Client\Catalog\

    -

    This location is not the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.

    Files in the machine catalog

      -

    • Manifest.xml

      • -

    • DeploymentConfiguration.xml

      • -

    • UserManifest.xml (Globally Published Package)

      • -

    • UserDeploymentConfiguration.xml (Globally Published Package)

      • -

    Additional machine catalog location, used when the package is part of a connection group

    The following location is in addition to the specific package location mentioned above:

    -

    %programdata%\Microsoft\AppV\Client\Catalog\PackageGroups\ConGroupGUID\ConGroupVerGUID

    Additional files in the machine catalog when the package is part of a connection group

      -

    • PackageGroupDescriptor.xml

      • -

    • UserPackageGroupDescriptor.xml (globally published Connection Group)

      • -
    +The locations described in this table can be found in the %programdata%\Microsoft\AppV\Client\Catalog\ folder. -  +||| +|---|---| +|Description|Stores package documents that are available to users on the machine when packages are added and published. However, if a package is “global” at publishing time, the integrations are available to all users.

    If a package is non-global, the integrations are published only for specific users, but there are still global resources that are modified and visible to anyone on the client computer (such as when the package directory is in a shared disk location).

    If a package is available to a user on the computer (global or non-global), the manifest is stored in the Machine Catalog. When a package is published globally, there is a Dynamic Configuration file, stored in the Machine Catalog; therefore, the determination of whether a package is global is defined according to whether there is a policy file (UserDeploymentConfiguration file) in the Machine Catalog.| +|Default storage location|%programdata%\Microsoft\AppV\Client\Catalog\

    This location is not the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.| +|Files in the machine catalog|- Manifest.xml
    - DeploymentConfiguration.xml
    - UserManifest.xml (Globally Published Package)
    - UserDeploymentConfiguration.xml (Globally Published Package)| +|Additional machine catalog location, used when the package is part of a connection group|The following location is in addition to the specific package location mentioned previously as the default storage location:

    %programdata%\Microsoft\AppV\Client\Catalog\PackageGroups\ConGroupGUID\ConGroupVerGUID| +|Additional files in the machine catalog when the package is part of a connection group|- PackageGroupDescriptor.xml
    - UserPackageGroupDescriptor.xml (globally published Connection Group)| ### User catalog - ---- - - - - - - - - - - - - - - - - - - - - - - -

    Description

    Created during the publishing process. Contains information used for publishing the package, and also used at launch to ensure that a package is provisioned to a specific user. Created in a roaming location and includes user-specific publishing information.

    -

    When a package is published for a user, the policy file is stored in the User Catalog. At the same time, a copy of the manifest is also stored in the User Catalog. When a package entitlement is removed for a user, the relevant package files are removed from the User Catalog. Looking at the user catalog, an administrator can view the presence of a Dynamic Configuration file, which indicates that the package is entitled for that user.

    -

    For roaming users, the User Catalog needs to be in a roaming or shared location to preserve the legacy App-V behavior of targeting users by default. Entitlement and policy are tied to a user, not a computer, so they should roam with the user once they are provisioned.

    Default storage location

    appdata\roaming\Microsoft\AppV\Client\Catalog\Packages\PkgGUID\VerGUID

    Files in the user catalog

      -

    • UserManifest.xml

      • -

    • DynamicConfiguration.xml or UserDeploymentConfiguration.xml

      • -

    Additional user catalog location, used when the package is part of a connection group

    The following location is in addition to the specific package location mentioned above:

    -

    appdata\roaming\Microsoft\AppV\Client\Catalog\PackageGroups\PkgGroupGUID\PkgGroupVerGUID

    Additional file in the machine catalog when the package is part of a connection group

    UserPackageGroupDescriptor.xml

    +The locations described in this table can be found in the appdata\roaming\Microsoft\AppV\Client\Catalog\ folder. -  +||| +|---|---| +|Description|Created during the publishing process. Contains information used for publishing the package, and for making sure that a package is provisioned to a specific user at launch. Created in a roaming location and includes user-specific publishing information.

    When a package is published for a user, the policy file is stored in the User Catalog. At the same time, a copy of the manifest is also stored in the User Catalog. When a package entitlement is removed for a user, the relevant package files are removed from the User Catalog. Looking at the user catalog, an administrator can view the presence of a Dynamic Configuration file, which indicates that the package is entitled for that user.

    For roaming users, the User Catalog needs to be in a roaming or shared location to preserve the legacy App-V behavior of targeting users by default. Entitlement and policy are tied to a user, not a computer, so they should roam with the user once they are provisioned.| +|Default storage location|appdata\roaming\Microsoft\AppV\Client\Catalog\Packages\PkgGUID\VerGUID| +|Files in the user catalog|- UserManifest.xml
    - DynamicConfiguration.xml or UserDeploymentConfiguration.xml| +|Additional user catalog location, used when the package is part of a connection group|The following location is in addition to the specific package location mentioned above:

    appdata\roaming\Microsoft\AppV\Client\Catalog\PackageGroups\PkgGroupGUID\PkgGroupVerGUID| +|Additional file in the machine catalog when the package is part of a connection group|UserPackageGroupDescriptor.xml| ### Shortcut backups -During the publishing process, the App-V Client backs up any shortcuts and integration points to `%AppData%\Microsoft\AppV\Client\Integration\ShortCutBackups.` This backup enables the restoration of these integration points to the previous versions when the package is unpublished. +During the publishing process, the App-V Client backs up any shortcuts and integration points to %AppData%\Microsoft\AppV\Client\Integration\ShortCutBackups. This backup lets integration points restore to the previous versions when the package is unpublished. ### Copy on Write files -The Package Store contains a pristine copy of the package files that have been streamed from the publishing server. During normal operation of an App-V application, the user or service may require changes to the files. These changes are not made in the package store in order to preserve your ability to repair the application, which removes these changes. These locations, called Copy on Write (COW), support both roaming and non-roaming locations. The location where the modifications are stored depends where the application has been programmed to write changes to in a native experience. +The Package Store contains a pristine copy of the package files that have been streamed from the publishing server. During normal operation of an App-V application, the user or service may require changes to the files. However, these changes aren't made in the package store to preserve your ability to repair the application, which removes these changes. These locations, called Copy on Write (COW), support both roaming and non-roaming locations. The location where the modifications are stored depends where the application has been programmed to write changes to in a native experience. ### COW roaming @@ -237,19 +131,17 @@ The COW Roaming location described above stores changes to files and directories ### COW local -The COW Local location is similar to the roaming location, but the directories and files are not roamed to other computers, even if roaming support has been configured. The COW Local location described above stores changes applicable to typical windows and not the %AppData% location. The directories listed will vary but there will be two locations for any typical Windows locations (e.g. Common AppData and Common AppDataS). The **S** signifies the restricted location when the virtual service requests the change as a different elevated user from the logged on users. The non-**S** location stores user based changes. - -## Package registry +The COW Local location is similar to the roaming location, but the directories and files are not roamed to other computers, even if roaming support has been configured. The COW Local location described above stores changes applicable to typical windows and not the %AppData% location. The directories listed will vary but there will be two locations for any typical Windows locations (for example, Common AppData and Common AppDataS). The **S** signifies the restricted location when the virtual service requests the change as a different elevated user from the signed-in users. The non-**S** location stores user-based changes. +## Package registry Before an application can access the package registry data, the App-V Client must make the package registry data available to the applications. The App-V Client uses the real registry as a backing store for all registry data. -When a new package is added to the App-V Client, a copy of the REGISTRY.DAT file from the package is created at `%ProgramData%\Microsoft\AppV\Client\VREG\{Version GUID}.dat`. The name of the file is the version GUID with the .DAT extension. The reason this copy is made is to ensure that the actual hive file in the package is never in use, which would prevent the removal of the package at a later time. +When a new package is added to the App-V Client, a copy of the REGISTRY.DAT file from the package is created at %ProgramData%\Microsoft\AppV\Client\VREG\{Version GUID}.dat. The name of the file is the version GUID with the .DAT extension. The reason this copy is made is to ensure that the actual hive file in the package is never in use, which would prevent the removal of the package at a later time. -**Registry.dat from Package Store** > **%ProgramData%\Microsoft\AppV\Client\Vreg\\{VersionGuid}.dat** -  +**Registry.dat from Package Store** > **%ProgramData%\Microsoft\AppV\Client\Vreg\\{VersionGUID}.dat** -When the first application from the package is launched on the client, the client stages or copies the contents out of the hive file, re-creating the package registry data in an alternate location `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Packages\PackageGuid\Versions\VersionGuid\REGISTRY`. The staged registry data has two distinct types of machine data and user data. Machine data is shared across all users on the machine. User data is staged for each user to a userspecific location `HKCU\Software\Microsoft\AppV\Client\Packages\PackageGuid\Registry\User`. The machine data is ultimately removed at package removal time, and the user data is removed on a user unpublish operation. +When the first application from the package is launched on the client, the client stages or copies the contents out of the hive file, re-creating the package registry data in an alternate location under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Packages\PackageGuid\Versions\VersionGUID\REGISTRY. The staged registry data has two distinct types of machine data and user data. Machine data is shared across all users on the machine. User data is staged for each user to a user-specific location HKCU\Software\Microsoft\AppV\Client\Packages\PackageGUID\Registry\User. The machine data is ultimately removed at package removal time, and the user data is removed on a user unpublish operation. ### Package registry staging vs. connection group registry staging @@ -259,190 +151,93 @@ The staged registry persists the same way as in the single package case. Staged ### Virtual registry -The purpose of the virtual registry (VREG) is to provide a single merged view of the package registry and the native registry to applications. It also provides copy-on-write (COW) functionality – that is any changes made to the registry from the context of a virtual process are made to a separate COW location. This means that the VREG must combine up to three separate registry locations into a single view based on the populated locations in the registry COW -> package -> native. When a request is made for a registry data it will locate in order until it finds the data it was requesting. Meaning if there is a value stored in a COW location it will not proceed to other locations, however, if there is no data in the COW location it will proceed to the Package and then Native location until it finds the appropriate data. +The purpose of the virtual registry (VREG) is to provide a single merged view of the package registry and the native registry to applications. It also provides copy-on-write (COW) functionality—that is, any changes made to the registry from the context of a virtual process are made to a separate COW location. This means that the VREG must combine up to three separate registry locations into a single view based on the populated locations in the **registry COW** > **package** > **native**. When a request is made for a registry data it will locate in order until it finds the data it was requesting. Meaning if there is a value stored in a COW location it will not proceed to other locations, however, if there is no data in the COW location it will proceed to the Package and then Native location until it finds the appropriate data. ### Registry locations There are two package registry locations and two connection group locations where the App-V Client stores registry information, depending on whether the Package is published individually or as part of a connection group. There are three COW locations for packages and three for connection groups, which are created and managed by the VREG. Settings for packages and connection groups are not shared: -**Single Package VReg:** +#### Single Package VReg - ---- - - - - - - - - - - - - - - - - - - -

    Location

    Description

    COW

      -

    • Machine Registry\Client\Packages\PkgGUID\REGISTRY (Only elevate process can write)

      • -

    • User Registry\Client\Packages\PkgGUID\REGISTRY (User Roaming anything written under HKCU except Software\Classes

      • -

    • User Registry Classes\Client\Packages\PkgGUID\REGISTRY (HKCU\Software\Classes writes and HKLM for non elevated process)

      • -

    Package

      -

    • Machine Registry\Client\Packages\PkgGUID\Versions\VerGuid\Registry\Machine

      • -

    • User Registry Classes\Client\Packages\PkgGUID\Versions\VerGUID\Registry

      • -

    Native

      -

    • Native application registry location

      • -
    +The registries in the following table are located in the Registry\Client\Packages\PkgGUID\ folder. -  +|Location|Description| +|---|---| +|COW|- Machine Registry\Client\Packages\PkgGUID\REGISTRY (Only elevate process can write)
    - User Registry\Client\Packages\PkgGUID\REGISTRY (User Roaming anything written under HKCU except Software\Classes
    - User Registry Classes\Client\Packages\PkgGUID\REGISTRY (HKCU\Software\Classes writes and HKLM for non-elevated process)| +|Package|- Machine Registry\Client\Packages\PkgGUID\Versions\VerGuid\Registry\Machine
    - User Registry Classes\Client\Packages\PkgGUID\Versions\VerGUID\Registry| +|Native|- Native application registry location| -  +#### Connection Group VReg -**Connection Group VReg:** +The registries in the following table are located in the Machine Registry\Client\PackageGroups\GrpGUID\ and User Registry Classes\Client\PackageGroups\GrpGUID\ folders. - ---- - - - - - - - - - - - - - - - - - - -

    Location

    Description

    COW

      -

    • Machine Registry\Client\PackageGroups\GrpGUID\REGISTRY (only elevate process can write)

      • -

    • User Registry\Client\PackageGroups\GrpGUID\REGISTRY (Anything written to HKCU except Software\Classes

      • -

    • User Registry Classes\Client\PackageGroups\GrpGUID\REGISTRY

      • -

    Package

      -

    • Machine Registry\Client\PackageGroups\GrpGUID\Versions\VerGUID\REGISTRY

      • -

    • User Registry Classes\Client\PackageGroups\GrpGUID\Versions\VerGUID\REGISTRY

      • -

    Native

      -

    • Native application registry location

      • -
    +|Location|Description| +|---|---| +|COW|- Machine Registry\Client\PackageGroups\GrpGUID\REGISTRY (only elevate process can write)
    - User Registry\Client\PackageGroups\GrpGUID\REGISTRY (Anything written to HKCU except Software\Classes)
    - User Registry Classes\Client\PackageGroups\GrpGUID\REGISTRY| +|Package|- Machine Registry\Client\PackageGroups\GrpGUID\Versions\VerGUID\REGISTRY
    - User Registry Classes\Client\PackageGroups\GrpGUID\Versions\VerGUID\REGISTRY| +|Native|- Native application registry location| -  - -  - -There are two COW locations for HKLM; elevated and non-elevated processes. Elevated processes always write HKLM changes to the secure COW under HKLM. Non-elevated processes always write HKLM changes to the non-secure COW under HKCU\\Software\\Classes. When an application reads changes from HKLM, elevated processes will read changes from the secure COW under HKLM. Non-elevated reads from both, favoring the changes made in the unsecure COW first. +There are two COW locations for HKLM: elevated and non-elevated processes. Elevated processes always write HKLM changes to the secure COW under HKLM. Non-elevated processes always write HKLM changes to the non-secure COW under HKCU\\Software\\Classes. When an application reads changes from HKLM, elevated processes will read changes from the secure COW under HKLM. Non-elevated reads from both, favoring the changes made in the unsecure COW first. ### Pass-through keys -Pass-through keys enable an administrator to configure certain keys so they can only be read from the native registry, bypassing the Package and COW locations. Pass-through locations are global to the machine (not package specific) and can be configured by adding the path to the key, which should be treated as pass-through to the **REG\_MULTI\_SZ** value called **PassThroughPaths** of the key `HKLM\Software\Microsoft\AppV\Subsystem\VirtualRegistry`. Any key that appears under this multi-string value (and their children) will be treated as pass-through. +An administrator can use pass-through keys to configure certain keys to only be read from the native registry, bypassing the Package and COW locations. Pass-through locations are global to the machine (not package-specific) and can be configured by adding the path to the key, which should be treated as pass-through to the **REG\_MULTI\_SZ** value called **PassThroughPaths** of the key HKLM\Software\Microsoft\AppV\Subsystem\VirtualRegistry. Any key that appears under this multi-string value (and their children) will be treated as pass-through. The following locations are configured as pass-through locations by default: -- HKEY\_CURRENT\_USER\\SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel +- HKEY\_CURRENT\_USER\\SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel +- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT +- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT -- HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application +- HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application -- HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger +- HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger -- HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings +- HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib +- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib -- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies +- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies -- HKEY\_CURRENT\_USER\\SOFTWARE\\Policies +- HKEY\_CURRENT\_USER\\SOFTWARE\\Policies -The purpose of Pass-through keys is to ensure that a virtual application does not write registry data in the VReg that is required for non-virtual applications for successful operation or integration. The Policies key ensures that Group Policy based settings set by the administrator are utilized and not per package settings. The AppModel key is required for integration with Windows Modern UI based applications. It is recommend that administers do not modify any of the default pass-through keys, but in some instances, based on application behavior may require adding additional pass-through keys. +The purpose of pass-through keys is to ensure that a virtual application does not write registry data in the VReg that is required for non-virtual applications for successful operation or integration. The Policies key ensures that Group Policy-based settings set by the administrator are utilized and not per package settings. The AppModel key is required for integration with Windows Modern UI-based applications. Administers ideally should not modify any of the default pass-through keys, but in some instances, the admin may need to add additional pass-through keys to adjust application behavior. ## App-V package store behavior - App-V manages the Package Store, which is the location where the expanded asset files from the appv file are stored. By default, this location is stored at %ProgramData%\\App-V, and is limited in terms of storage capabilities only by free disk space. The package store is organized by the GUIDs for the package and version as mentioned in the previous section. ### Add packages -App-V Packages are staged upon addition to the computer with the App-V Client. The App-V Client provides on-demand staging. During publishing or a manual Add-AppVClientPackage, the data structure is built in the package store (c:\\programdata\\App-V\\{PkgGUID}\\{VerGUID}). The package files identified in the publishing block defined in the StreamMap.xml are added to the system and the top level folders and child files staged to ensure proper application assets exist at launch. +App-V Packages are staged upon addition to the computer with the App-V Client. The App-V Client provides on-demand staging. When publishing or manually entering the **Add-AppVClientPackage** cmdlet, the data structure is built in the package store (C:\\programdata\\App-V\\{PkgGUID}\\{VerGUID}). The package files identified in the publishing block defined in the StreamMap.xml file are added to the system, and the top level folders and child files are staged to ensure proper application assets exist at launch. ### Mounting packages -Packages can be explicitly loaded using the Windows PowerShell `Mount-AppVClientPackage` or by using the **App-V Client UI** to download a package. This operation completely loads the entire package into the package store. +Packages can be explicitly loaded by entering the **Mount-AppVClientPackage** PowerShell cmdlet or by using the **App-V Client UI** to download a package. This operation completely loads the entire package into the package store. ### Streaming packages -The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Streaming`. Policies are set using the Windows PowerShell cmdlet `Set-AppvClientConfiguration`. The following policies apply to Streaming: +The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Streaming. Policies are set by entering the **Set-AppvClientConfiguration** PowerShell cmdlet. The following policies apply to streaming: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    PolicyDescription

    AllowHighCostLaunch

    Allows streaming over 3G and cellular networks

    AutoLoad

    Specifies the Background Load setting:

    -

    0 - Disabled

    -

    1 – Previously Used Packages only

    -

    2 – All Packages

    PackageInstallationRoot

    The root folder for the package store in the local machine

    PackageSourceRoot

    The root override where packages should be streamed from

    SharedContentStoreMode

    Enables the use of Shared Content Store for VDI scenarios

    +|Policy|Description| +|---|---| +|AllowHighCostLaunch|Allows streaming over 3G and cellular networks| +|AutoLoad|Specifies the Background Load setting:
    0 – Disabled
    1 – Previously Used Packages only
    2 – All Packages| +|PackageInstallationRoot|The root folder for the package store in the local machine| +|PackageSourceRoot|The root override where packages should be streamed from| +|SharedContentStoreMode|Enables the use of Shared Content Store for VDI scenarios| -  +These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that it's particularly important to understand: -  - -These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors around streaming packages that must be explained: - -- Background Streaming - -- Optimized Streaming - -- Stream Faults +- Background Streaming +- Optimized Streaming +- Stream Faults ### Background streaming -The Windows PowerShell cmdlet `Get-AppvClientConfiguration` can be used to determine the current mode for background streaming with the AutoLoad setting and modified with the cmdlet Set-AppvClientConfiguration or from the registry (HKLM\\SOFTWARE\\Microsoft\\AppV\\ClientStreaming key). Background streaming is a default setting where the Autoload setting is set to download previously used packages. The behavior based on default setting (value=1) downloads App-V data blocks in the background after the application has been launched. This setting can be disabled all together (value=0) or enabled for all packages (value=2), whether they have been launched. +The Windows PowerShell cmdlet **Get-AppvClientConfiguration** can be used to determine the current mode for background streaming with the AutoLoad setting and modified with either the **Set-AppvClientConfiguration** cmdlet or from the registry (HKLM\\SOFTWARE\\Microsoft\\AppV\\ClientStreaming key). Background streaming is a default setting where the Autoload setting is set to download previously used packages. The behavior based on default setting (value=1) downloads App-V data blocks in the background after the application has been launched. This setting can either be disabled altogether (value=0) or enabled for all packages (value=2), regardless of whether they have been launched. ### Optimized streaming @@ -454,74 +249,36 @@ After the initial stream of any publishing data and the primary feature block, r ### Package upgrades -App-V Packages require updating throughout the lifecycle of the application. App-V Package upgrades are similar to the package publish operation, as each version will be created in its own PackageRoot location: `%ProgramData%\App-V\{PkgGUID}\{newVerGUID}`. The upgrade operation is optimized by creating hard links to identical- and streamed-files from other versions of the same package. +App-V Packages require updating throughout the lifecycle of the application. App-V Package upgrades are like the package publish operation, as each version will be created in its own PackageRoot location: %ProgramData%\App-V\{PkgGUID}\{newVerGUID}. The upgrade operation is optimized by creating hard links to identical and streamed files from other versions of the same package. ### Package removal -The behavior of the App-V Client when packages are removed depends on the method used for removal. Using an App-V full infrastructure to unpublish the application, the user catalog files (machine catalog for globally published applications) are removed, but retains the package store location and COW locations. When the Windows PowerShell cmdlet `Remove-AppVClientPackge` is used to remove an App-V Package, the package store location is cleaned. Remember that unpublishing an App-V Package from the Management Server does not perform a Remove operation. Neither operation will remove the Package Store package files. - -## Roaming registry and data +The App-V Client's behavior when packages are removed depends on the package removal method. Using an App-V full infrastructure to unpublish the application, the user catalog files (machine catalog for globally published applications) are removed, but the package store location and COW locations remain. When the **Remove-AppVClientPackge** Windows PowerShell cmdlet is used to remove an App-V Package, the package store location is cleaned. Remember that unpublishing an App-V Package from the Management Server does not perform a Remove operation. Neither operation will remove the Package Store package files. +## Roaming registry and data App-V is able to provide a near-native experience when roaming, depending on how the application being used is written. By default, App-V roams AppData that is stored in the roaming location, based on the roaming configuration of the operating system. Other locations for storage of file-based data do not roam from computer to computer, since they are in locations that are not roamed. -### Roaming requirements and user catalog data storage +### Roaming requirements and user catalog data storage App-V stores data, which represents the state of the user’s catalog, in the form of: -- Files under %appdata%\\Microsoft\\AppV\\Client\\Catalog - -- Registry settings under `HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages` +- Files under %appdata%\\Microsoft\\AppV\\Client\\Catalog +- Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages Together, these files and registry settings represent the user’s catalog, so either both must be roamed, or neither must be roamed for a given user. App-V does not support roaming %AppData%, but not roaming the user’s profile (registry), or vice versa. -> [!NOTE] -> The **Repair-AppvClientPackage** cmdlet does not repair the publishing state of packages, where the user’s App-V state under `HKEY_CURRENT_USER` is missing or mismatched with the data in %appdata%. - -  +>[!NOTE] +>The **Repair-AppvClientPackage** cmdlet doesn't repair the publishing state of packages where the user’s App-V state under HKEY_CURRENT_USER is missing or mismatched with the data in %appdata%. ### Registry-based data App-V registry roaming falls into two scenarios, as shown in the following table. - ---- - - - - - - - - - - - - - - - - -
    ScenarioDescription

    Applications that are run as standard users

    When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This presents as two distinct paths:

    -
      -

    • HKLM: HKCU\SOFTWARE\Classes\AppV\Client\Packages\\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE

      • -

    • HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\\{UserSID}\SOFTWARE

      • -
    -

    The locations are enabled for roaming based on the operating system settings.

    Applications that are run with elevation

    When an application is launched with elevation:

    -
      -

    • HKLM data is stored in the HKLM hive on the local computer

      • -

    • HKCU data is stored in the User Registry location

      • -
    -

    In this scenario, these settings are not roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following location:

    -
      -

    • HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\{UserSID}\REGISTRY\MACHINE\SOFTWARE

      • -

    • HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\Registry\User\\{UserSID}\SOFTWARE

      • -
    - -  +|Scenario|Description| +|---|---| +|Applications that are run as standard users|When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This presents as two distinct paths:

    - HKLM's location is HKCU\SOFTWARE\Classes\AppV\Client\Packages\\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
    - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\\{UserSID}\SOFTWARE

    The locations are enabled for roaming based on the operating system settings.| +|Applications that are run with elevation|When an application is launched with elevation:

    - HKLM data is stored in the HKLM hive on the local computer
    - HKCU data is stored in the User Registry location

    In this scenario, these settings are not roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following locations:

    - HKLM's location is HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\{UserSID}\REGISTRY\MACHINE\SOFTWARE
    - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\Registry\User\\{UserSID}\SOFTWARE| ### App-V and folder redirection @@ -529,360 +286,317 @@ App-V supports folder redirection of the roaming AppData folder (%AppData%). Whe A typical package has several locations mapped in the user’s backing store for settings in both AppData\\Local and AppData\\Roaming. These locations are the Copy on Write locations that are stored per user in the user’s profile, and that are used to store changes made to the package VFS directories and to protect the default package VFS. -The following table shows local and roaming locations, when folder redirection has not been implemented. +The following table shows local and roaming locations when folder redirection has not been implemented. | VFS directory in package | Mapped location of backing store | -| - | - | +|---|---| | ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\ProgramFilesX86 | | SystemX86 | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\SystemX86 | | Windows | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\Windows | | appv\_ROOT | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv_ROOT| | AppData | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\AppData | -The following table shows local and roaming locations, when folder redirection has been implemented for %AppData%, and the location has been redirected (typically to a network location). +The following table shows local and roaming locations when folder redirection has been implemented for %AppData% and the location has been redirected (typically to a network location). | VFS directory in package | Mapped location of backing store | -| - | - | +|---|---| | ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\ProgramFilesX86 | | SystemX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\SystemX86 | | Windows | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\Windows | | appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv\_ROOT | | AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\<GUID>\AppData | -  -The current App-V Client VFS driver cannot write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. The detailed steps of the processes are: +The current App-V Client VFS driver can't write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. Here's what happens during the process: -1. During publishing or virtual environment startup, the App-V Client detects the location of the AppData directory. +1. During publishing or virtual environment startup, the App-V Client detects the location of the AppData directory. +2. If the roaming AppData path is local or ino AppData\\Roaming location is mapped, nothing happens. +3. If the roaming AppData path is not local, the VFS AppData directory is mapped to the local AppData directory. -2. If the roaming AppData path is local or ino AppData\\Roaming location is mapped, nothing happens. +This process solves the problem of a non-local %AppData% that is not supported by the App-V Client VFS driver. However, the data stored in this new location is not roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The process does the following things: -3. If the roaming AppData path is not local, the VFS AppData directory is mapped to the local AppData directory. +1. Shuts down the App-V application, which also shuts down the virtual environment. +2. Compresses the local cache of the roaming AppData location and store it in a .zip file. +3. Uses the time stamp at the end of the .zip packaging process to name the file. +4. Records the time stamp in the HKEY\_CURRENT\_USER\\Software\\Microsoft\\AppV\\Client\\Packages\\<GUID>\\AppDataTime registry as the last known AppData time stamp. +5. Calls the folder redirection process to evaluate and initiate the .zip file uploaded to the roaming AppData directory. -This process solves the problem of a non-local %AppData% that is not supported by the App-V Client VFS driver. However, the data stored in this new location is not roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The detailed steps of this process are: +The time stamp is used to determine a “last writer wins” scenario if there is a conflict and is used to optimize the download of the data when the App-V application is published, or the virtual environment is started. Folder redirection will make the data available from any other clients covered by the supporting policy and will initiate the process of storing the AppData\\Roaming data to the local AppData location on the client. Here's what happens during the process: -1. App-V application is shut down, which shuts down the virtual environment. +1. The user starts an application, which also starts the virtual environment. +2. The application’s virtual environment checks for the most recent time stamped .zip file, if present. +3. The virtual environment checks the registry for the last known uploaded time stamp, if present. +4. The virtual environment downloads the most recent .zip file unless the local last known upload time stamp is greater than or equal to the time stamp from the .zip file. +5. If the local last known upload time stamp is earlier than that of the most recent .zip file in the roaming AppData location, the virtual environment extracts the .zip file to the local temp directory in the user’s profile. +6. After the .zip file is successfully extracted, the local cache of the roaming AppData directory is renamed and the new data moved into place. +7. The renamed directory is deleted and the application opens with the most recently saved roaming AppData data. -2. The local cache of the roaming AppData location is compressed and stored in a ZIP file. +This completes the successful roaming of application settings that are present in AppData\\Roaming locations. The only other condition that must be addressed is a package repair operation. The process does the following things: -3. A timestamp at the end of the ZIP packaging process is used to name the file. +1. During repair, detects if the path to the user’s roaming AppData directory isn't local. +2. Maps the non-local roaming AppData path targets, recreating the expected roaming and local AppData locations. +3. Deletes the time stamp stored in the registry, if present. -4. The timestamp is recorded in the registry: HKEY\_CURRENT\_USER\\Software\\Microsoft\\AppV\\Client\\Packages\\<GUID>\\AppDataTime as the last known AppData timestamp. +This process will recreate both the local and network locations for AppData and remove the registry record of the time stamp. -5. The folder redirection process is called to evaluate and initiate the ZIP file uploaded to the roaming AppData directory. +## App-V Client application lifecycle management -The timestamp is used to determine a “last writer wins” scenario if there is a conflict and is used to optimize the download of the data when the App-V application is published or the virtual environment is started. Folder redirection will make the data available from any other clients covered by the supporting policy and will initiate the process of storing the AppData\\Roaming data to the local AppData location on the client. The detailed processes are: - -1. The user starts the virtual environment by starting an application. - -2. The application’s virtual environment checks for the most recent time stamped ZIP file, if present. - -3. The registry is checked for the last known uploaded timestamp, if present. - -4. The most recent ZIP file is downloaded unless the local last known upload timestamp is greater than or equal to the timestamp from the ZIP file. - -5. If the local last known upload timestamp is earlier than that of the most recent ZIP file in the roaming AppData location, the ZIP file is extracted to the local temp directory in the user’s profile. - -6. After the ZIP file is successfully extracted, the local cache of the roaming AppData directory is renamed and the new data is moved into place. - -7. The renamed directory is deleted and the application opens with the most recently saved roaming AppData data. - -This completes the successful roaming of application settings that are present in AppData\\Roaming locations. The only other condition that must be addressed is a package repair operation. The details of the process are: - -1. During repair, detect if the path to the user’s roaming AppData directory is not local. - -2. Map the non-local roaming AppData path targets are recreated the expected roaming and local AppData locations. - -3. Delete the timestamp stored in the registry, if present. - -This process will re-create both the local and network locations for AppData and remove the registry record of the timestamp. - -## App-V client application lifecycle management - - -In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers via the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are performed as a series of Windows PowerShell commands initiated on the computer running the App-V Client. +In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client. This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/en-us/download/details.aspx?id=38177). -The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell). +The App-V application lifecycle tasks are triggered at user sign in (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell). ### Publishing refresh -The publishing refresh process is comprised of several smaller operations that are performed on the App-V Client. Since App-V is an application virtualization technology and not a task scheduling technology, the Windows Task Scheduler is utilized to enable the process at user logon, machine startup, and at scheduled intervals. The configuration of the client during setup listed above is the preferred method when distributing the client to a large group of computers with the correct settings. These client settings can be configured with the following Windows PowerShell cmdlets: +The publishing refresh process comprises several smaller operations that are performed on the App-V Client. Since App-V is an application virtualization technology and not a task scheduling technology, the Windows Task Scheduler is utilized to enable the process when the user signs in, the machine turns on, and at scheduled intervals. The client configuration during setup listed in the previous section is the preferred method when distributing the client to a large group of computers with the correct settings. These client settings can be configured with the following Windows PowerShell cmdlets: -- **Add-AppVPublishingServer:** Configures the client with an App-V Publishing Server that provides App-V packages. +- **Add-AppVPublishingServer** configures the client with an App-V Publishing Server that provides App-V packages. +- **Set-AppVPublishingServer** modifies the current settings for the App-V Publishing Server. +- **Set-AppVClientConfiguration** modifies the currents settings for the App-V Client. +- **Sync-AppVPublishingServer** initiates an App-V Publishing Refresh process manually. This is also utilized in the scheduled tasks created during configuration of the publishing server. -- **Set-AppVPublishingServer:** Modifies the current settings for the App-V Publishing Server. +The following sections will elaborate what goes on during the publishing refresh process. -- **Set-AppVClientConfiguration:** Modifies the currents settings for the App-V Client. +#### Adding an App-V package -- **Sync-AppVPublishingServer:** Initiates an App-V Publishing Refresh process manually. This is also utilized in the scheduled tasks created during configuration of the publishing server. +Adding an App-V package to the client is the first step of the publishing refresh process. The end result is the same as the **Add-AppVClientPackage** cmdlet in Windows PowerShell, except the publishing refresh add process contacts the configured publishing server and passes a high-level list of applications back to the client to pull more detailed information, rather than just doing a single package add operation. -The focus of the following sections is to detail the operations that occur during different phases of an App-V Publishing Refresh. The topics include: +The process then configures the client for package or connection group additions or updates, then accesses the appv file. Next, the contents of the appv file are expanded and placed on the local operating system in the appropriate locations. The following is a detailed workflow of the process, assuming the package is configured for Fault Streaming. -- Adding an App-V Package +#### How to add an App-V package -- Publishing an App-V Package +1. Initiate installation manually through Windows PowerShell or Task Sequence initiation of the Publishing Refresh process. -### Adding an App-V package + 1. The App-V Client makes an HTTP connection and requests a list of applications based on the target. The Publishing refresh process supports targeting machines or users. -Adding an App-V package to the client is the first step of the publishing refresh process. The end result is the same as the `Add-AppVClientPackage` cmdlet in Windows PowerShell, except during the publishing refresh add process, the configured publishing server is contacted and passes a high-level list of applications back to the client to pull more detailed information and not a single package add operation. The process continues by configuring the client for package or connection group additions or updates, then accesses the appv file. Next, the contents of the appv file are expanded and placed on the local operating system in the appropriate locations. The following is a detailed workflow of the process, assuming the package is configured for Fault Streaming. + 2. The App-V Publishing Server uses the identity of the initiating target, user or machine, and queries the database for a list of entitled applications. The list of applications is provided as an XML response, which the client uses to send additional requests to the server for more information on a per-package basis. -**How to add an App-V package** +2. The Publishing Agent on the App-V Client will evaluate any connection groups that are unpublished or disabled, since package version updates that are part of the connection group cannot be processed. -1. Manual initiation via Windows PowerShell or Task Sequence initiation of the Publishing Refresh process. +3. Configure the packages by identifying the **Add** or **Update** operations. - 1. The App-V Client makes an HTTP connection and requests a list of applications based on the target. The Publishing refresh process supports targeting machines or users. + 1. The App-V Client utilizes the AppX API from Windows and accesses the appv file from the publishing server. - 2. The App-V Publishing Server uses the identity of the initiating target, user or machine, and queries the database for a list of entitled applications. The list of applications is provided as an XML response, which the client uses to send additional requests to the server for more information on a per package basis. + 2. The package file is opened and the **AppXManifest.xml** and **StreamMap.xml** files are downloaded to the Package Store. -2. The Publishing Agent on the App-V Client performs all actions below serialized. + 3. Completely stream publishing block data defined in the **StreamMap.xml** file. Publishing block data is stored in Package Store\\PkgGUID\\VerGUID\\Root. - Evaluate any connection groups that are unpublished or disabled, since package version updates that are part of the connection group cannot be processed. + - Icons: Targets of extension points. + - Portable Executable Headers (PE Headers): Targets of extension points that contain the base information about the image need on disk, accessed directly or through file types. + - Scripts: Download scripts directory for use throughout the publishing process. -3. Configure the packages by identifying an Add or Update operations. + 4. Populate the Package store by doing the following: - 1. The App-V Client utilizes the AppX API from Windows and accesses the appv file from the publishing server. + 1. Create sparse files on disk that represent the extracted package for any directories listed. - 2. The package file is opened and the AppXManifest.xml and StreamMap.xml are downloaded to the Package Store. + 2. Stage top-level files and directories under root. - 3. Completely stream publishing block data defined in the StreamMap.xml. Stores the publishing block data in the Package Store\\PkgGUID\\VerGUID\\Root. + All other files are created when the directory is listed as sparse on disk and streamed on demand. - - Icons: Targets of extension points. + 5. Create the machine catalog entries. Create the **Manifest.xml** and **DeploymentConfiguration.xml** files from the package files (if no **DeploymentConfiguration.xml** file in the package a placeholder is created). - - Portable Executable Headers (PE Headers): Targets of extension points that contain the base information about the image need on disk, directly accessed or via file types. + 6. Create location of the package store in the registry **HKLM\\Software\\Microsoft\\AppV\\Client\\Packages\\PkgGUID\\Versions\\VerGUID\\Catalog**. - - Scripts: Download scripts directory for use throughout the publishing process. + 7. Create the **Registry.dat** file from the package store to **%ProgramData%\\Microsoft\\AppV\\Client\\VReg\\{VersionGUID}.dat**. - 4. Populate the Package store: + 8. Register the package with the App-V Kernal Mode Driver at **HKLM\\Microsoft\\Software\\AppV\\MAV**. - 1. Create sparse files on disk that represent the extracted package for any directories listed. + 9. Invoke scripting from the **AppxManifest.xml** or **DeploymentConfig.xml** file for Package Add timing. - 2. Stage top level files and directories under root. +4. Configure Connection Groups by adding and enabling or disabling. - 3. All other files are created when the directory is listed as sparse on disk and streamed on demand. +5. Remove objects that are not published to the target (user or machine). - 5. Create the machine catalog entries. Create the Manifest.xml and DeploymentConfiguration.xml from the package files (if no DeploymentConfiguration.xml file in the package a placeholder is created). + >[!NOTE] + >This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published). - 6. Create location of the package store in the registry HKLM\\Software\\Microsoft\\AppV\\Client\\Packages\\PkgGUID\\Versions\\VerGUID\\Catalog +6. Invoke background load mounting based on client configuration. - 7. Create the Registry.dat file from the package store to %ProgramData%\\Microsoft\\AppV\\Client\\VReg\\{VersionGUID}.dat +7. Packages that already have publishing information for the machine or user are immediately restored. - 8. Register the package with the App-V Kernal Mode Driver HKLM\\Microsoft\\Software\\AppV\\MAV + >[!NOTE] + >This condition occurs as a product of removal without unpublishing with background addition of the package. - 9. Invoke scripting from the AppxManifest.xml or DeploymentConfig.xml file for Package Add timing. +This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user). -4. Configure Connection Groups by adding and enabling or disabling. +![Package add file and registry data](images/packageaddfileandregistrydata.png) -5. Remove objects that are not published to the target (user or machine). +**Package add file and registry data** - > [!NOTE] - > This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published). +#### Publishing an App-V package -   +During the Publishing Refresh operation, the specific publishing operation, **Publish-AppVClientPackage**, adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps. -6. Invoke background load mounting based on client configuration. +#### How to publish an App-V package -7. Packages that already have publishing information for the machine or user are immediately restored. +1. Package entries are added to the user catalog - > [!NOTE]    - > This condition occurs as a product of removal without unpublishing with background addition of the package. + 1. User targeted packages: the **UserDeploymentConfiguration.xml** and **UserManifest.xml** files are placed on the machine in the User Catalog. -   + 2. Machine targeted (global) packages: the **UserDeploymentConfiguration.xml** is placed in the Machine Catalog. -This completes an App-V package add of the publishing refresh process. The next step is publishing the package to the specific target (machine or user). +2. Register the package with the kernel mode driver for the user at **HKLM\\Software\\Microsoft\\AppV\\MAV**. -![package add file and registry data](images/packageaddfileandregistrydata.png) +3. Perform integration tasks. -### Publishing an App-V package + 1. Create extension points. -During the Publishing Refresh operation, the specific publishing operation (Publish-AppVClientPackage) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps. The following are the detailed steps. + 2. Store backup information in the user’s registry and roaming profile (Shortcut Backups). -**How to publish and App-V package** + >[!NOTE] + >This enables restore extension points if the package is unpublished. -1. Package entries are added to the user catalog + 3. Run scripts targeted for publishing timing. - 1. User targeted packages: the UserDeploymentConfiguration.xml and UserManifest.xml are placed on the machine in the User Catalog - - 2. Machine targeted (global) packages: the UserDeploymentConfiguration.xml is placed in the Machine Catalog - -2. Register the package with the kernel mode driver for the user at HKLM\\Software\\Microsoft\\AppV\\MAV - -3. Perform integration tasks. - - 1. Create extension points. - - 2. Store backup information in the user’s registry and roaming profile (Shortcut Backups). - - **Note**   - This enables restore extension points if the package is unpublished. - -   - - 3. Run scripts targeted for publishing timing. - -Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the machine and users catalog information above for details. +Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details. ![package add file and registry data - global](images/packageaddfileandregistrydata-global.png) +**Package add file and registry data—global** + ### Application launch -After the Publishing Refresh process, the user launches and subsequently re-launches an App-V application. The process is very simple and optimized to launch quickly with a minimum of network traffic. The App-V Client checks the path to the user catalog for files created during publishing. After rights to launch the package are established, the App-V Client creates a virtual environment, begins streaming any necessary data, and applies the appropriate manifest and deployment configuration files during virtual environment creation. With the virtual environment created and configured for the specific package and application, the application starts. +After the Publishing Refresh process, the user launches and then relaunches an App-V application. The App-V Client checks the path to the user catalog for files created during publishing. After establishing rights to launch the package, the App-V Client creates a virtual environment, begins streaming any necessary data, and applies the appropriate manifest and deployment configuration files during virtual environment creation. Once the virtual environment created and configured for the specific package and application, the application starts. This might seem like a lot, but the process in action is actually quite fast, and is optimized to minimize network traffic. -**How to launch App-V applications** +#### How to launch App-V applications -1. User launches the application by clicking on a shortcut or file type invocation. +1. User launches the application by selecting a shortcut or file type invocation. -2. The App-V Client verifies existence in the User Catalog for the following files +2. The App-V Client verifies existence in the User Catalog for the following files - - UserDeploymentConfiguration.xml + - **UserDeploymentConfiguration.xml** + - **UserManifest.xml** - - UserManifest.xml +3. If the files are present, the application is entitled for that specific user and the application will start the process for launch. There is no network traffic at this point. -3. If the files are present, the application is entitled for that specific user and the application will start the process for launch. There is no network traffic at this point. +4. Next, the App-V Client checks that the path for the package registered for the App-V Client service is found in the registry. -4. Next, the App-V Client checks that the path for the package registered for the App-V Client service is found in the registry. +5. Upon finding the path to the package store, the virtual environment is created. If this is the first launch, the Primary Feature Block downloads if present. -5. Upon finding the path to the package store, the virtual environment is created. If this is the first launch, the Primary Feature Block downloads if present. +6. After downloading, the App-V Client service consumes the manifest and deployment configuration files to configure the virtual environment and all App-V subsystems are loaded. -6. After downloading, the App-V Client service consumes the manifest and deployment configuration files to configure the virtual environment and all App-V subsystems are loaded. - -7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as needed basis. +7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as-needed basis. ![package add file and registry data - stream](images/packageaddfileandregistrydata-stream.png) + **Package add file and registry data—stream** + ### Upgrading an App-V package -The App-V package upgrade process differs from the older versions of App-V. App-V supports multiple versions of the same package on a machine entitled to different users. Package versions can be added at any time as the package store and catalogs are updated with the new resources. The only process specific to the addition of new version resources is storage optimization. During an upgrade, only the new files are added to the new version store location and hard links are created for unchanged files. This reduces the overall storage by only presenting the file on one disk location and then projecting it into all folders with a file location entry on the disk. The specific details of upgrading an App-V Package are as follows: +The current version of App-V's package upgrade process differs from the older versions in its storage optimization. App-V supports multiple versions of the same package on a machine entitled to different users. Package versions can be added at any time, as the package store and catalogs are updated with the new resources. During an upgrade in the new version, only new files are added to the new version store location, and hard links are created for unchanged files. This reduces overall storage by only presenting the file on one disk location, then projecting it into all folders with a file location entry on the disk. -**How to upgrade an App-V package** +#### How to upgrade an App-V package -1. The App-V Client performs a Publishing Refresh and discovers a newer version of an App-V Package. +1. The App-V Client performs a Publishing Refresh and discovers a newer version of an App-V Package. -2. Package entries are added to the appropriate catalog for the new version +2. Package entries are added to the appropriate catalog for the new version. - 1. User targeted packages: the UserDeploymentConfiguration.xml and UserManifest.xml are placed on the machine in the user catalog at appdata\\roaming\\Microsoft\\AppV\\Client\\Catalog\\Packages\\PkgGUID\\VerGUID + 1. User targeted packages: the **UserDeploymentConfiguration.xml** and **UserManifest.xml** files are placed on the machine in the user catalog at **appdata\\roaming\\Microsoft\\AppV\\Client\\Catalog\\Packages\\PkgGUID\\VerGUID**. - 2. Machine targeted (global) packages: the UserDeploymentConfiguration.xml is placed in the machine catalog at %programdata%\\Microsoft\\AppV\\Client\\Catalog\\Packages\\PkgGUID\\VerGUID + 2. Machine targeted (global) packages: the **UserDeploymentConfiguration.xml** is placed in the machine catalog at **%programdata%\\Microsoft\\AppV\\Client\\Catalog\\Packages\\PkgGUID\\VerGUID**. -3. Register the package with the kernel mode driver for the user at HKLM\\Software\\Microsoft\\AppV\\MAV +3. Register the package with the kernel mode driver for the user at **HKLM\\Software\\Microsoft\\AppV\\MAV**. -4. Perform integration tasks. +4. Perform integration tasks. 1. Integrate extensions points (EP) from the Manifest and Dynamic Configuration files. - 2. File based EP data is stored in the AppData folder utilizing Junction Points from the package store. + 2. File based EP data is stored in the AppData folder utilizing Junction Points from the package store. - 3. Version 1 EPs already exist when a new version becomes available. + 3. Version 1 EPs already exist when a new version becomes available. - 4. The extension points are switched to the Version 2 location in machine or user catalogs for any newer or updated extension points. + 4. The extension points are switched to the Version 2 location in machine or user catalogs for any newer or updated extension points. -5. Run scripts targeted for publishing timing. +5. Run scripts targeted for publishing timing. -6. Install Side by Side assemblies as required. +6. Install Side-by-Side assemblies as required. ### Upgrading an in-use App-V package -If you try to upgrade a package that is in use by an end user, the upgrade task is placed in a pending state. The upgrade will run later, according to the following rules: +If you try to upgrade a package that is currently in use, the upgrade task is placed in a pending state. The upgrade will run later, according to the following rules: | Task type | Applicable rule | -| - | - | -| User-based task, e.g., publishing a package to a user | The pending task will be performed after the user logs off and then logs back on. | -| Globally based task, e.g., enabling a connection group globally | The pending task will be performed when the computer is shut down and then restarted. | +|---|---| +| User-based tasks, such as publishing a package to a user | The pending task will be performed after the user logs off and then logs back on. | +| Globally based tasks, such as enabling a connection group globally | The pending task will be performed when the computer is shut down and then restarted. | -When a task is placed in a pending state, the App-V client also generates a registry key for the pending task, as follows: +When a task is placed in a pending state, the App-V Client also generates a registry key for the pending task, as follows: | User-based or globally based task | Where the registry key is generated | -| - | - | +|---|---| | User-based tasks | HKEY\_CURRENT\_USER\Software\Microsoft\AppV\Client\PendingTasks | | Globally based tasks | HKEY\_LOCAL\_MACHINE\Software\Microsoft\AppV\Client\PendingTasks | The following operations must be completed before users can use the newer version of the package: | Task | Details | -| - | - | -| Add the package to the computer | This task is computer specific and you can perform it at any time by completing the steps in the Package Add section above. | -| Publish the package | See the Package Publishing section above for steps. This process requires that you update extension points on the system. End users cannot be using the application when you complete this task. | +|---|---| +| Add the package to the computer | This task is computer-specific and you can perform it at any time by completing the steps in [How to add an App-V package](#how-to-add-an-app-v-package). | +| Publish the package | See the Package Publishing section above for steps. This process requires that you update extension points on the system. You can't complete this task while the application is in use. | Use the following example scenarios as a guide for updating packages. | Scenario | Requirements | -| - | - | +|---|---| | App-V package is not in use when you try to upgrade | None of the following components of the package can be in use: virtual application, COM server, or shell extensions.

    The administrator publishes a newer version of the package and the upgrade works the next time a component or application inside the package is launched. The new version of the package is streamed and ran. | -| App-V package is in use when the administrator publishes a newer version of the package | The upgrade operation is set to pending by the App-V Client, which means that it is queued and carried out later when the package is not in use.

    If the package application is in use, the user shuts down the virtual application, after which the upgrade can occur.

    If the package has shell extensions, which are permanently loaded by Windows Explorer, the user cannot be logged in. Users must log off and the log back in to initiate the App-V package upgrade.| +| App-V package is in use when the administrator publishes a newer version of the package | The App-V Client sets the operation to "pending," which means that it is queued and will be carried out later when the package is not in use.

    If the package application is in use, the user shuts down the virtual application, after which the upgrade can occur.

    If the package has shell extensions, which are permanently loaded by Windows Explorer, the user won't be able to sign in. Users must sign off and then sign back in to initiate the App-V package upgrade.| -  -### Global vs user publishing +### Global vs. user publishing -App-V Packages can be published in one of two ways; User which entitles an App-V package to a specific user or group of users and Global which entitles the App-V package to the entire machine for all users of the machine. Once a package upgrade has been pended and the App-V package is not in use, consider the two types of publishing: +App-V Packages can be published in one of two ways; as user, which entitles an App-V package to a specific user or group of users, or as global, which entitles the App-V package to the entire machine for all users of the machine. Once a package upgrade has been pended and the App-V package is not in use, consider the two types of publishing: -- **Globally published**: the application is published to a machine; all users on that machine can use it. The upgrade will happen when the App-V Client Service starts, which effectively means a machine restart. - -- **User published**: the application is published to a user. If there are multiple users on the machine, the application can be published to a subset of the users. The upgrade will happen when the user logs in or when it is published again (periodically, ConfigMgr Policy refresh and evaluation, or an App-V periodic publishing/refresh, or explicitly via Windows PowerShell commands). +- Global publishing is when the application is published to a machine; all users on that machine can use it. The upgrade will happen when the App-V Client Service starts, which effectively means a machine restart. +- User publishing is when the application is published to a user. If there are multiple users on the machine, the application can be published to a subset of the users. The upgrade will happen when the user signs in or when it is published again (periodically, ConfigMgr Policy refresh and evaluation, or an App-V periodic publishing/refresh, or explicitly through Windows PowerShell commands). ### Removing an App-V package -Removing App-V applications in a Full Infrastructure is an unpublish operation, and does not perform a package removal. The process is the same as the publish process above, but instead of adding the removal process reverses the changes that have been made for App-V Packages. +Removing App-V applications in a Full Infrastructure is an unpublish operation and does not perform a package removal. The process is the same as the publish process above, but instead of adding the removal process reverses the changes that have been made for App-V Packages. ### Repairing an App-V package -The repair operation is very simple but may affect many locations on the machine. The previously mentioned Copy on Write (COW) locations are removed, and extension points are de-integrated and then re-integrated. Please review the COW data placement locations by reviewing where they are registered in the registry. This operation is done automatically and there is no administrative control other than initiating a Repair operation from the App-V Client Console or via Windows PowerShell (Repair-AppVClientPackage). +The repair operation is easy to do but may affect many locations on the machine. The previously mentioned Copy on Write (COW) locations are removed, and extension points are deintegrated and then reintegrated. Before repairing, please review where the COW data placement locations are registered in the registry. To perform a Repair operation, all you need to do is initiate it from the App-V Client Console or through the **Repair-AppVClientPackage** PowerShell cmdlet. After that, the operation is completed automatically. ## Integration of App-V packages - The App-V Client and package architecture provides specific integration with the local operating system during the addition and publishing of packages. Three files define the integration or extension points for an App-V Package: -- AppXManifest.xml: Stored inside of the package with fallback copies stored in the package store and the user profile. Contains the options created during the sequencing process. - -- DeploymentConfig.xml: Provides configuration information of computer and user based integration extension points. - -- UserConfig.xml: A subset of the Deploymentconfig.xml that only provides user- based configurations and only targets user-based extension points. +- AppXManifest.xml is stored inside of the package with fallback copies stored in the package store and the user profile. Contains the options created during the sequencing process. +- DeploymentConfig.xml provides configuration information of computer- and user-based integration extension points. +- UserConfig.xml is a subset of the Deploymentconfig.xml file that only provides user-based configurations and only targets user-based extension points. ### Rules of integration -When App-V applications are published to a computer with the App-V Client, some specific actions take place as described in the list below: +When App-V applications are published to a computer with the App-V Client, some specific actions take place as described in the following list: -- Global Publishing: Shortcuts are stored in the All Users profile location and other extension points are stored in the registry in the HKLM hive. +- Global Publishing: Shortcuts are stored in the All Users profile location and other extension points are stored in the registry in the HKLM hive. +- User Publishing: Shortcuts are stored in the current user account profile and other extension points are stored in the registry in the HKCU hive. +- Backup and Restore: Existing native application data and registry (such as FTA registrations) are backed up during publishing. -- User Publishing: Shortcuts are stored in the current user account profile and other extension points are stored in the registry in the HKCU hive. - -- Backup and Restore: Existing native application data and registry (such as FTA registrations) are backed up during publishing. - - 1. App-V packages are given ownership based on the last integrated package where the ownership is passed to the newest published App-V application. - - 2. Ownership transfers from one App-V package to another when the owning App-V package is unpublished. This will not initiate a restore of the data or registry. - - 3. Restore the backed up data when the last package is unpublished or removed on a per extension point basis. + 1. App-V packages are given ownership based on the last integrated package where the ownership is passed to the newest published App-V application. + 2. Ownership transfers from one App-V package to another when the owning App-V package is unpublished. This will not initiate a restore of the data or registry. + 3. Restore the backed-up data when the last package is unpublished or removed on a per-extension point basis. ### Extension points -The App-V publishing files (manifest and dynamic configuration) provide several extension points that enable the application to integrate with the local operating system. These extension points perform typical application installation tasks, such as placing shortcuts, creating file type associations, and registering components. As these are virtualized applications that are not installed in the same manner a traditional application, there are some differences. The following is a list of extension points covered in this section: +The App-V publishing files (manifest and dynamic configuration) provide several extension points to integrate the application with the local operating system. These extension points perform typical application installation tasks, such as placing shortcuts, creating file type associations, and registering components. As these are virtualized applications that are not installed in the same manner a traditional application, there are some differences. The following is a list of extension points covered in this section: -- Shortcuts - -- File Type Associations - -- Shell Extensions - -- COM - -- Software Clients - -- Application capabilities - -- URL Protocol Handler - -- AppPath - -- Virtual Application +- Shortcuts +- File type associations +- Shell extensions +- COM +- Software clients +- Application capabilities +- URL Protocol handler +- AppPath +- Virtual application ### Shortcuts -The short cut is one of the basic elements of integration with the OS and is the interface for direct user launch of an App-V application. During the publishing and unpublishing of App-V applications. +The shortcut is one of the basic elements of integration with the OS and is the interface for direct user launch of an App-V application. During the publishing and unpublishing of App-V applications. -From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section similar to the following: +From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section like the following: -``` syntax +```XML [{Common Desktop}]\Adobe Reader.lnk @@ -900,9 +614,9 @@ As mentioned previously, the App-V shortcuts are placed by default in the user ### File type associations -The App-V Client manages the local operating system File Type Associations during publishing, which enables users to use file type invocations or to open a file with a specifically registered extension (.docx) to start an App-V application. File type associations are present in the manifest and dynamic configuration files as represented in the example below: +Users can use file type invocations or open a file with a specifically registered extension (.docx) to start an App-V application because the App-V Client manages the local operating system File Type Associations during publishing. File type associations are present in the manifest and dynamic configuration files, as shown in the following example: -``` syntax +```XML @@ -939,63 +653,52 @@ The App-V Client manages the local operating system File Type Associations durin ``` -**Note**   -In this example: - -- `.xdp` is the extension - -- `AcroExch.XDPDoc` is the ProgId value (which points to the adjoining ProgId) - -- `"[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1"` is the command line, which points to the application executable - -  +>[!NOTE] +>In this example: +>- `.xdp` is the extension +>- `AcroExch.XDPDoc` is the ProgId value (which points to the adjoining ProgId) +>- `"[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1"` is the command line, which points to the application executable ### Shell extensions Shell extensions are embedded in the package automatically during the sequencing process. When the package is published globally, the shell extension gives users the same functionality as if the application were locally installed. The application requires no additional setup or configuration on the client to enable the shell extension functionality. -**Requirements for using shell extensions:** +#### Requirements for using shell extensions -- Packages that contain embedded shell extensions must be published globally. - -- The “bitness” of the application, Sequencer, and App-V client must match, or the shell extensions won’t work. For example: - - - The version of the application is 64-bit. - - - The Sequencer is running on a 64-bit computer. - - - The package is being delivered to a 64-bit App-V client computer. +- Packages that contain embedded shell extensions must be published globally. +- The “bitness” of the application, Sequencer, and App-V Client must match, or the shell extensions won’t work. The following example configuration fulfills the matching requirement: + - The version of the application is 64-bit. + - The Sequencer is running on a 64-bit computer. + - The package is being delivered to a 64-bit App-V Client computer. The following table displays the supported shell extensions. | Handler | Description | -| - | - | +|---|---| | Context menu handler | Adds menu items to the context menu. It is called before the context menu is displayed. | | Drag-and-drop handler | Controls the action upon right-click drag-and-drop and modifies the context menu that appears. | -| Drop target handler | Controls the action after a data object is dragged-and-dropped over a drop target such as a file.| +| Drop target handler | Controls the action after a data object is dragged-and-dropped over a drop target, such as a file.| | Data object handler| Controls the action after a file is copied to the clipboard or dragged-and-dropped over a drop target. It can provide additional clipboard formats to the drop target.| | Property sheet handler| Replaces or adds pages to the property sheet dialog box of an object.| -| Infotip handler| Allows retrieving flags and infotip information for an item and displaying it inside a popup tooltip upon mouse- hover.| +| Infotip handler| Allows retrieving flags and infotip information for an item and displaying it inside a popup tooltip upon mouse-hover.| | Column handler| Allows creating and displaying custom columns in Windows Explorer *Details view*. It can be used to extend sorting and grouping.| | Preview handler| Enables a preview of a file to be displayed in the Windows Explorer Preview Pane.| -  - ### COM The App-V Client supports publishing applications with support for COM integration and virtualization. COM integration allows the App-V Client to register COM objects on the local operating system and virtualization of the objects. For the purposes of this document, the integration of COM objects requires additional detail. -App-V supports registering COM objects from the package to the local operating system with two process types: Out-of-process and in-process. Registering COM objects is accomplished with one or a combination of multiple modes of operation for a specific App-V package that includes off, Isolated, and Integrated. The integrated mode is configured for either the out-of-process or in-process type. Configuration of COM modes and types is accomplished with dynamic configuration files (deploymentconfig.xml or userconfig.xml). +App-V supports registering COM objects from the package to the local operating system with two process types: Out-of-process and In-process. Registering COM objects is accomplished with one or a combination of multiple modes of operation for a specific App-V package that includes Off, Isolated, and Integrated. Integrated mode is configured for either the Out-of-process or In-process type. Configuration of COM modes and types is accomplished with dynamic configuration files (deploymentconfig.xml or userconfig.xml). For details on App-V integration, see [Microsoft Application Virtualization 5.0 Integration](https://blogs.technet.microsoft.com/appv/2013/01/03/microsoft-application-virtualization-5-0-integration). ### Software clients and application capabilities -App-V supports specific software clients and application capabilities extension points that enable virtualized applications to be registered with the software client of the operating system. This enables users to select default programs for operations like email, instant messaging, and media player. This operation is performed in the control panel with the Set Program Access and Computer Defaults, and configured during sequencing in the manifest or dynamic configuration files. Application capabilities are only supported when the App-V applications are published globally. +App-V supports specific software clients and application capabilities extension points to register virtualized applications with the operating system's software client. This means users can select default programs for operations like email, instant messaging, and using the media player. This operation is performed in the control panel with **Set Program Access** and **Computer Defaults**, and is configured during sequencing in the manifest or dynamic configuration files. Application capabilities are only supported when the App-V applications are published globally. -Example of software client registration of an App-V based mail client. +The following is an example of software client registration of an App-V-based mail client. -``` syntax +```XML @@ -1035,154 +738,68 @@ Example of software client registration of an App-V based mail client. ``` -**Note**   -In this example: - -- `` is the overall Software Clients setting to integrate Email clients - -- `` is the flag to set a particular Email client as the default Email client - -- `[{ProgramFilesX86}]\Mozilla Thunderbird\mozMapi32_InUse.dll` is the MAPI dll registration - -  +>[!NOTE] +>In this example: +>- `` is the overall Software Clients setting to integrate Email clients. +>- `` is the flag to set a particular Email client as the default Email client. +>- `[{ProgramFilesX86}]\Mozilla Thunderbird\mozMapi32_InUse.dll` is the MAPI dll registration. ### URL Protocol handler -Applications do not always specifically called virtualized applications utilizing file type invocation. For, example, in an application that supports embedding a mailto: link inside a document or web page, the user clicks on a mailto: link and expects to get their registered mail client. App-V supports URL Protocol handlers that can be registered on a per-package basis with the local operating system. During sequencing, the URL protocol handlers are automatically added to the package. +Virtual applications don't always specifically utilize file type invocation. For, example, in an application that supports embedding a mailto: link inside a document or web page, the user selects the link expecting to access their registered mail client. App-V supports URL Protocol handlers that can be registered on a per-package basis with the local operating system. During sequencing, the URL Protocol handlers are automatically added to the package. For situations where there is more than one application that could register the specific URL Protocol handler, the dynamic configuration files can be utilized to modify the behavior and suppress or disable this feature for an application that should not be the primary application launched. ### AppPath -The AppPath extension point supports calling App-V applications directly from the operating system. This is typically accomplished from the Run or Start Screen, depending on the operating system, which enables administrators to provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable. It therefore avoids modifying the system path environment variable on all systems, as it is accomplished during publishing. +The AppPath extension point supports calling App-V applications directly from the operating system. Administrators can provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable from either the Run or Start Screen, depending on the operating system. It therefore avoids modifying the system path environment variable on all systems, as it is accomplished during publishing. The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For additional information on AppPath review: [App Paths - A Virtual Application Extension in App-V 5.0](https://blogs.technet.microsoft.com/virtualworld/2012/12/12/app-paths-a-virtual-application-extension-in-app-v-5-0/). ### Virtual application -This subsystem provides a list of applications captured during sequencing which is usually consumed by other App-V components. Integration of extension points belonging to a particular application can be disabled using dynamic configuration files. For example, if a package contains two applications, it is possible to disable all extension points belonging to one application, in order to allow only integration of extension points of other application. +This subsystem provides a list of applications captured during sequencing which is usually consumed by other App-V components. Integration of extension points belonging to a specific application can be disabled using dynamic configuration files. For example, if a package contains two applications, you can disable all extension points belonging to one application to only allow integration of extension points for the other application. ### Extension point rules -The extension points described above are integrated into the operating system based on how the packages has been published. Global publishing places extension points in public machine locations, where user publishing places extension points in user locations. For example a shortcut that is created on the desktop and published globally will result in the file data for the shortcut (%Public%\\Desktop) and the registry data (HKLM\\Software\\Classes). The same shortcut would have file data (%UserProfile%\\Desktop) and registry data (HKCU\\Software\\Classes). +The previously described extension points are integrated into the operating system based on how the packages has been published. Global publishing places extension points in public machine locations, where user publishing places extension points in user locations. For example, a shortcut created on the desktop and published globally will result in the file data for the shortcut (%Public%\\Desktop) and the registry data (HKLM\\Software\\Classes). The same shortcut would have file data (%UserProfile%\\Desktop) and registry data (HKCU\\Software\\Classes). Extension points are not all published the same way, where some extension points will require global publishing and others require sequencing on the specific operating system and architecture where they are delivered. Below is a table that describes these two key rules. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Virtual ExtensionRequires target OS SequencingRequires Global Publishing

    Shortcut

    File Type Association

    URL Protocols

    X

    AppPaths

    X

    COM Mode

    Software Client

    X

    Application Capabilities

    X

    X

    Context Menu Handler

    X

    X

    Drag-and-drop Handler

    X

    Data Object Handler

    X

    Property Sheet Handler

    X

    Infotip Handler

    X

    Column Handler

    X

    Shell Extensions

    X

    Browser Helper Object

    X

    X

    Active X Object

    X

    X

    +|Virtual Extension|Requires target OS sequencing|Requires global publishing| +|---|:---:|:---:| +|Shortcut||| +|File Type Association||| +|URL Protocols|X|| +|AppPaths|X|| +|COM Mode||| +|Software Client|X|| +|Application Capabilities|X|X| +|Context Menu Handler|X|X| +|Drag-and-drop Handler|X|| +|Data Object Handler|X|| +|Property Sheet Handler|X|| +|Infotip Handler|X|| +|Column Handler|X|| +|Shell Extensions|X|| +|Browser Helper Object|X|X| +|Active X Object|X|X| -  +## Dynamic configuration processing -## Dynamic configuration processing +Deploying App-V packages to a single machine or user is very simple. However, as organizations deploy App-V applications across business lines and geographic and political boundaries, it becomes impossible to sequence all applications with the same settings. App-V was designed to overcome this problem by capturing specific settings and configurations during sequencing in the Manifest file while also supporting modification with Dynamic Configuration files. +App-V dynamic configuration lets you specify a package policy at either the machine or user levels. Sequencing engineers can use Dynamic Configuration files to modify the configuration of a package post-sequencing to address the needs of individual groups of users or machines. In some instances, it may be necessary to modify the application to provide proper functionality within the App-V environment. For example, you may need to modify the \_\*config.xml files to allow certain actions to be performed at a specified time while executing the application, like disabling a mailto extension to prevent a virtualized application from overwriting that extension from another application. -Deploying App-V packages to one machine or user is very simple. However, as organizations deploy AppV applications across business lines and geographic and political boundaries, the ability to sequence an application one time with one set of settings becomes impossible. App-V was designed for this scenario, as it captures specific settings and configurations during sequencing in the Manifest file, but also supports modification with Dynamic Configuration files. +App-V packages contain the Manifest file inside of the App-V Package file, which is representative of sequencing operations and is the policy of choice unless Dynamic Configuration files are assigned to a specific package. Post-sequencing, the Dynamic Configuration files can be modified to allow an application to be published to different desktops or users with different extension points. The two Dynamic Configuration files are the Dynamic Deployment Configuration (DDC) and Dynamic User Configuration (DUC) files. This section focuses on the combination of the manifest and dynamic configuration files. -App-V dynamic configuration allows for specifying a policy for a package either at the machine level or at the user level. The Dynamic Configuration files enable sequencing engineers to modify the configuration of a package, post-sequencing, to address the needs of individual groups of users or machines. In some instances it may be necessary to make modifications to the application to provide proper functionality within the App-V environment. For example, it may be necessary to make modifications to the \_\*config.xml files to allow certain actions to be performed at a specified time during the execution of the application, like disabling a mailto extension to prevent a virtualized application from overwriting that extension from another application. +### Examples of dynamic configuration files -App-V Packages contain the Manifest file inside of the appv package file, which is representative of sequencing operations and is the policy of choice unless Dynamic Configuration files are assigned to a specific package. Post-sequencing, the Dynamic Configuration files can be modified to allow the publishing of an application to different desktops or users with different extension points. The two Dynamic Configuration Files are the Dynamic Deployment Configuration (DDC) and Dynamic User Configuration (DUC) files. This section focuses on the combination of the manifest and dynamic configuration files. +The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/en-us/download/details.aspx?id=27760). -### Example for dynamic configuration files +#### Manifest -The example below shows the combination of the Manifest, Deployment Configuration and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is show the combination of the files only and not to be a complete description of the specific categories available in each of the files. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/en-us/download/details.aspx?id=27760). - -**Manifest** - -``` syntax +```XML [{Common Programs}]\7-Zip\7-Zip File Manager.lnk @@ -1192,9 +809,9 @@ The example below shows the combination of the Manifest, Deployment Configuratio ``` -**Deployment Configuration** +#### Deployment Configuration -``` syntax +```XML @@ -1207,9 +824,9 @@ The example below shows the combination of the Manifest, Deployment Configuratio ``` -**User Configuration** +#### User Configuration -``` syntax +```XML @@ -1248,41 +865,34 @@ The example below shows the combination of the Manifest, Deployment Configuratio ## Side-by-side assemblies +App-V supports automatic packaging of side-by-side assemblies during sequencing and deployment on the client during virtual application publishing. App-V also supports capturing side-by-side assemblies during sequencing for assemblies not present on the sequencing machine. For assemblies consisting of Visual C++ (Version 8 and newer) or MSXML run-time, the Sequencer will automatically detect and capture these dependencies even if they weren't installed during monitoring. -App-V supports the automatic packaging of side-by-side (SxS) assemblies during sequencing and deployment on the client during virtual application publishing. App-V supports capturing SxS assemblies during sequencing for assemblies not present on the sequencing machine. And for assemblies consisting of Visual C++ (Version 8 and newer) and/or MSXML run-time, the Sequencer will automatically detect and capture these dependencies even if they were not installed during monitoring. The Side by Side assemblies feature removes the limitations of previous versions of App-V, where the App-V Sequencer did not capture assemblies already present on the sequencing workstation, and privatizing the assemblies which limited to one bit version per package. This behavior resulted in deployed App-V applications to clients missing the required SxS assemblies, causing application launch failures. This forced the packaging process to document and then ensure that all assemblies required for packages were locally installed on the user’s client operating system to ensure support for the virtual applications. Based on the number of assemblies and the lack of application documentation for the required dependencies, this task was both a management and implementation challenge. +The side-by-side assemblies feature removes the limitations of previous versions of App-V, where the App-V Sequencer did not capture assemblies already present on the sequencing workstation, and privatized the assemblies, which limited it to one bit version per package. This behavior resulted in App-V applications being deployed to clients missing the required side-by-side assemblies, which led to application launch failures. This forced the packaging process to document and ensure that all assemblies required for packages were locally installed on the user’s client operating system. This task was both a management and implementation challenge due to the number of assemblies and the lack of application documentation for the required dependencies. -Side by Side Assembly support in App-V has the following features. +Side-by-side assembly support in App-V has the following features: -- Automatic captures of SxS assembly during Sequencing, regardless of whether the assembly was already installed on the sequencing workstation. +- Automatic captures of side-by-side assembly during sequencing, regardless of whether the assembly was already installed on the sequencing workstation. +- The App-V Client automatically installs required side-by-side assemblies to the client computer at publishing time if they aren't already installed. +- The Sequencer reports the VC run-time dependency in Sequencer reporting mechanism. +- The Sequencer allows opting to not package assemblies already installed on the Sequencer, supporting scenarios where the assemblies have previously been installed on the target computers. -- The App-V Client automatically installs required SxS assemblies to the client computer at publishing time when they are not present. +### Automatic publishing of side-by-side assemblies -- The Sequencer reports the VC run-time dependency in Sequencer reporting mechanism. +During publishing of an App-V package with side-by-side assemblies, the App-V Client will check for the presence of the assembly on the machine. If it doesn't detect an assembly, the client will deploy the assembly to the machine. Packages that are part of connection groups will rely on the side-by-side assembly installations in the base packages, as the connection groups don't contain any information about assembly installation. -- The Sequencer allows opting to not package the assemblies that are already installed on the Sequencer, supporting scenarios where the assemblies have previously been installed on the target computers. - -### Automatic publishing of SxS assemblies - -During publishing of an App-V package with SxS assemblies the App-V Client will check for the presence of the assembly on the machine. If the assembly does not exist, the client will deploy the assembly to the machine. Packages that are part of connection groups will rely on the Side by Side assembly installations that are part of the base packages, as the connection group does not contain any information about assembly installation. - -> [!NOTE] -> Unpublishing or removing a package with an assembly does not remove the assemblies for that package. - -  +>[!NOTE] +>Unpublishing or removing a package with an assembly does not remove the assemblies for that package. ## Client logging +The App-V Client logs information to the Windows Event log in standard ETW format. The specific App-V events can be found in the event viewer under **Applications and Services Logs\\Microsoft\\AppV\\Client**. -The App-V client logs information to the Windows Event log in standard ETW format. The specific App-V events can be found in the event viewer, under Applications and Services Logs\\Microsoft\\AppV\\Client. +There are three specific categories of events recorded: -There are three specific categories of events recorded described below. - -**Admin**: Logs events for configurations being applied to the App-V Client, and contains the primary warnings and errors. - -**Operational**: Logs the general App-V execution and usage of individual components creating an audit log of the App-V operations that have been completed on the App-V Client. - -**Virtual Application**: Logs virtual application launches and use of virtualization subsystems. +- **Admin** logs events for configurations applied to the App-V Client and also contains the primary warnings and errors. +- **Operational** logs the general App-V execution and usage of individual components, creating an audit log of the App-V Client's completed App-V operations. +- **Virtual Application** logs virtual application launches and use of virtualization subsystems. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md index ce1b3601b9..be2acfa151 100644 --- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md @@ -1,42 +1,46 @@ --- -title: How to Apply the Deployment Configuration File by Using Windows PowerShell (Windows 10) -description: How to Apply the Deployment Configuration File by Using Windows PowerShell +title: How to apply the deployment configuration file by using Windows PowerShell (Windows 10) +description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/15/2018 --- +# How to apply the deployment configuration file by using Windows PowerShell +>Applies to: Windows 10, version 1607 -# How to Apply the Deployment Configuration File by Using Windows PowerShell +When you add or set a package to a computer running the App-V client before it's been published, a dynamic deployment configuration file is applied to it. The dynamic deployment configuration file configures the default settings for the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file. -**Applies to** -- Windows 10, version 1607 +## Apply the deployment configuration file with Windows PowerShell -The dynamic deployment configuration file is applied when a package is added or set to a computer running the App-V client before the package has been published. The file configures the default settings for package for all users on the computer running the App-V client. This section describes the steps used to use a deployment configuration file. The procedure is based on the following example and assumes the following package and configuration files exist on a computer: +>[!NOTE] +>The following example cmdlet uses the following two file paths for the package and configuration files: + > + >* C:\\Packages\\Contoso\\MyApp.appv + >* C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml + > +>If your package and configuration files use different file paths than the example, feel free to replace them as needed. -**c:\\Packages\\Contoso\\MyApp.appv** +To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, enter the following cmdlet: -**c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml** +```PowerShell +Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml +``` -**To Apply the Deployment Configuration File Using Windows PowerShell** +>[!NOTE] +>This command captures the resulting object into $pkg. If the package is already present on the computer, you can use the **Set-AppVclientPackage** cmdlet to apply the deployment configuration document: +> +> ```PowerShell +> Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml +> ``` -- To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, type the following: - - `Add-AppVClientPackage -Path c:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration c:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml` - - **Note**
    - This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document: - - `Set-AppVClientPackage -Name Myapp -Path c:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration c:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml` - -   ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md index a59c999681..7f5e05afcd 100644 --- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md +++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md @@ -1,41 +1,45 @@ --- -title: How to Apply the User Configuration File by Using Windows PowerShell (Windows 10) -description: How to Apply the User Configuration File by Using Windows PowerShell +title: How to apply the user configuration file by using Windows PowerShell (Windows 10) +description: How to apply the user configuration file by using Windows PowerShell (Windows 10). author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/15/2018 --- +# How to apply the user configuration file by using Windows PowerShell +>Applies to: Windows 10, version 1607 -# How to Apply the User Configuration File by Using Windows PowerShell +When you publish a package to a specific user, you'll also need to specify a dynamic user configuration file to tell that package how to run. -**Applies to** -- Windows 10, version 1607 +## Apply a user configuration file -The dynamic user configuration file is applied when a package is published to a specific user and determines how the package will run. +Here's how to specify a user-specific configuration file: -Use the following procedure to specify a user-specific configuration file. The following procedure is based on the example: +>[!NOTE] +>The following example cmdlets use this example file path for its package: + > + >* C:\\Packages\\Contoso\\MyApp.appv. + > +>If your package file uses a different file path than the example, feel free to replace it as needed. -**c:\\Packages\\Contoso\\MyApp.appv** +1. Enter the following cmdlet in Windows PowerShell to add the package to the computer: -**To apply a user Configuration file** - -1. To add the package to the computer using the Windows PowerShell console, type the following command: - - `Add-AppVClientPackage c:\Packages\Contoso\MyApp.appv` - -2. Use the following command to publish the package to the user and specify the updated the dynamic user configuration file: - - `Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath c:\Packages\Contoso\config.xml` + ```PowerShell + Add-AppVClientPackage C:\Packages\Contoso\MyApp.appv + ``` +2. Enter the following cmdlet to publish the package to the user and specify the updated the dynamic user configuration file: + ```PowerShell + Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath C:\Packages\Contoso\config.xml + ``` ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index 508ae9f351..9cca4f5fb8 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -81,60 +81,6 @@ Where `````` is the name of the virtual machine (VM) with the App-V The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. -### Sequence multiple apps by using the App-V Sequencer interface - -Sequencing multipe apps at the same time requires that you create a **ConfigFIle** to collect all of the info related to each round of sequencing. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM. - -#### Create your ConfigFile for use by the App-V Sequencer interface - -1. Determine the apps that need to be included in your App-V sequencing package, and then open a text editor, such as Notepad. - -2. Add the following required XML info for each app: - - - ``````. The name of the app you're adding to the package. - - ``````. The file path to the folder with the app installer. - - ``````. The file name for the app executable. This will typically be an .exe or .msi file. - - ``````. The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself. - - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to usea cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. - - ``````. Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. - - **Example:** - - ```XML - - - - Skype for Windows - D:\Install\New\SkypeforWindows - SkypeSetup.exe - 20 - False - True - - - Power BI - D:\Install\New\MicrosoftPowerBI - PBIDesktop.msi - 20 - False - True - - - - ``` - -#### How to start the App-V Sequencer interface and app installation process - -Open PowerShell as an admin on the Host computer and run the following commands to start the batch sequencing: - -```PowerShell -New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath -``` - -Where `````` is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and `````` is the full path to where the sequenced packages should be copied. - -The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. - ### Review the log files There are 3 types of log files that occur when you sequence multiple apps at the same time: @@ -155,4 +101,4 @@ There are 3 types of log files that occur when you sequence multiple apps at the ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 1d96b18fb8..ff99b0273a 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -41,29 +41,28 @@ Updating multiple apps at the same time requires that you create a **ConfigFile* **Example:** ```XML - - - Skype for Windows Update - D:\Install\Update\SkypeforWindows - SkypeSetup.exe - /S - C:\App-V_Package\Microsoft_Apps\skypeupdate.appv - 20 - True - True - - - Microsoft Power BI Update - D:\Install\Update\PowerBI - PBIDesktop.msi - /S - C:\App-V_Package\MS_Apps\powerbiupdate.appv - 20 - True - True - - - + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + true + true + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + true + true + + ``` 3. Save your completed file under the name **ConfigFile**. @@ -101,29 +100,28 @@ Updating multipe apps at the same time requires that you create a **ConfigFile** ```XML - - - Skype for Windows Update - D:\Install\Update\SkypeforWindows - SkypeSetup.exe - /S - C:\App-V_Package\Microsoft_Apps\skypeupdate.appv - 20 - False - True - - - Microsoft Power BI Update - D:\Install\Update\PowerBI - PBIDesktop.msi - /S - C:\App-V_Package\MS_Apps\powerbiupdate.appv - 20 - False - True - - - + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + false + true + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + false + true + + ``` ### Start the App-V Sequencer interface and app installation process @@ -157,4 +155,4 @@ There are three types of log files that occur when you sequence multiple apps at ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md index 23a9fe37c6..2495e28dd7 100644 --- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md +++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md @@ -1,77 +1,62 @@ --- -title: Automatically cleanup unpublished packages on the App-V client (Windows 10) -description: How to automatically clean-up any unpublished packages on your App-V client devices. +title: Automatically clean up unpublished packages on the App-V client (Windows 10) +description: How to automatically clean up any unpublished packages on your App-V client devices. author: eross-msft ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/15/2018 --- +# Automatically clean up unpublished packages on the App-V client +>Applies to: Windows 10, version 1703 -# Automatically cleanup unpublished packages on the App-V client +If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device. -**Applies to** -- Windows 10, version 1703 +## Clean up with PowerShell cmdlets -Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. +You can enter PowerShell cmdlets to turn on the **AutoCleanupEnabled** setting, which will automatically clean up your unpublished App-V packages from your App-V client devices. -## Cleanup by using PowerShell commands -Using PowerShell, you can turn on the **AutoCleanupEnabled** setting to automatically cleanup your unpublished App-V packages from your App-V client devices. +### Turn on the AutoCleanupEnabled option -**To turn on the AutoCleanupEnabled option** +1. Open PowerShell as an admin and enter the following cmdlet to turn on the automatic package cleanup functionality: -1. Open PowerShell as an admin and run the following command to turn on the automatic package cleanup functionality: - - ```ps1 + ```PowerShell Set-AppvClientConfiguration -AutoCleanupEnabled 1 ``` - The command runs and you should see the following info on the PowerShell screen: - - - - - - - - - - - - - - - - -
    NameValueSetbyGroupPolicy
    AutoCleanupEnabled1False
    + After running the cmdlet, you should see the following info on the PowerShell screen: -2. Run the following command to make sure the configuration is ready to automatically cleanup your packages. + |Name|Value|SetbyGroupPolicy| + |---|---|---| + |AutoCleanupEnabled|1|False| - ```ps1 +1. Run the following cmdlet to check if the configuration has the cleanup setting turned on. + + ```PowerShell Get-AppvClientConfiguration ``` - You should see the **AutoCleanupEnabled** option turned on (shows a value of "1") in the configuration list. + If the **AutoCleanupEnabled** option shows a value of **1** in the configuration list, that means the setting is turned on. -## Cleanup by using Group Policy settings -Using Group Policy, you can turn on the **Enable automatic cleanup of unused appv packages** setting to automatically cleanup your unpublished App-V packages from your App-V client devices. +## Clean up with Group Policy settings -**To turn on the Enable automatic cleanup of unused appv packages setting** +Using Group Policy, you can turn on the **Enable automatic cleanup of unused App-V packages** setting to automatically clean up your unpublished App-V packages from your App-V client devices. -1. Open your Group Policy editor and double-click the Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused appv packages setting. +### Turn on the Enable automatic cleanup of unused App-V packages setting -2. Click **Enabled**, and then click **OK**. +1. Open your Group Policy editor and select the **Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused App-V packages** setting. - After your Group Policy updates, the setting is turned on and will cleanup any unpublished App-V packages on the App-V Client after restarting. +2. Select **Enabled**, then select **OK**. + + After your Group Policy updates and you reset the client, the setting will clean up any unpublished App-V packages on the App-V client. + +## Have a suggestion for App-V? + +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). + +## Related topics -### Related topics - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - - [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186) - -- [Using the App-V Client Management Console](appv-using-the-client-management-console.md) - - -**Have a suggestion for App-V?**

    -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file +- [Using the App-V Client Management Console](appv-using-the-client-management-console.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index 7d050134a8..d890609518 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -6,207 +6,26 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/15/2018 --- - # Available Mobile Device Management (MDM) settings for App-V -With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Policy nameSupported versionsDetails
    NameWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Name
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V packages.
      • -
    -
    VersionWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Version
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V packages.
      • -
    -
    PublisherWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Publisher
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V packages.
      • -
    -
    InstallLocationWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallLocation
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V packages.
      • -
    -
    InstallDateWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallDate
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V packages.
      • -
    -
    UsersWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Users
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V packages.
      • -
    -
    AppVPackageIDWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageID
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V packages.
      • -
    -
    AppVVersionIDWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVVersionID
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V packages.
      • -
    -
    AppVPackageUriWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageUri
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V packages.
      • -
    -
    LastErrorWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastError
      • -
    • Data type. String
      • -
    • Value. Read-only data, provided by your App-V client.
      • -
    -
    LastErrorDescriptionWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastErrorDescription
      • -
    • Data type. String
      • -
    • Values. -
        -
      • 0. No errors returned during publish.
        • -
      • 1. Unpublish groups failed during publish.
        • -
      • 2. Publish no-group packages failed during publish.
        • -
      • 3. Publish group packages failed during publish.
        • -
      • 4. Unpublish packages failed during publish.
        • -
      • 5. New policy write failed during publish.
        • -
      • 6. Multiple non-fatal errors occurred during publish.
        • -
      -
      • -
    -
    SyncStatusDescriptionWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncStatusDescription
      • -
    • Data type. String
      • -
    • Values. -
        -
      • 0. App-V publishing is idle.
        • -
      • 1. App-V connection groups publish in progress.
        • -
      • 2. App-V packages (non-connection group) publish in progress.
        • -
      • 3. App-V packages (connection group) publish in progress.
        • -
      • 4. App-V packages unpublish in progress.
        • -
      -
      • -
    -
    SyncProgressWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress
      • -
    • Data type. String
      • -
    • Values. -
        -
      • 0. App-V Sync is idle.
        • -
      • 1. App-V Sync is initializing.
        • -
      • 2. App-V Sync is in progress.
        • -
      • 3. App-V Sync is complete.
        • -
      • 4. App-V Sync requires device reboot.
        • -
      -
      • -
    -
    PublishXMLWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML
      • -
    • Data type. String
      • -
    • Value. Custom value, entered by admin.
      • -
    -
    PolicyWindows 10, version 1703 -
      -
    • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/configurationid/Policy
      • -
    • Data type. String
      • -
    • Value. Custom value, entered by admin.
      • -
    -
    \ No newline at end of file +With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page. + +|Policy name|Supported versions|URI full path|Data type|Values| +|---|---|---|---|---| +|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Name|String|Read-only data, provided by your App-V packages.| +|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Version|String|Read-only data, provided by your App-V packages.| +|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Publisher|String|Read-only data, provided by your App-V packages.| +|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallLocation|String|Read-only data, provided by your App-V packages.| +|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //InstallDate|String|Read-only data, provided by your App-V packages.| +|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //Users|String|Read-only data, provided by your App-V packages.| +|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageID|String|Read-only data, provided by your App-V packages.| +|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVVersionID|String|Read-only data, provided by your App-V packages.| +|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement// //AppVPackageUri|String|Read-only data, provided by your App-V packages.| +|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
    AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.| +|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.
    - **1**: Unpublish groups failed during publish.
    - **2**: Publish no-group packages failed during publish.
    - **3**: Publish group packages failed during publish.
    - **4**: Unpublish packages failed during publish.
    - **5**: New policy write failed during publish.
    - **6**: Multiple non-fatal errors occurred during publish.| +|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
    - **1**: App-V connection groups publish in progress.
    - **2**: App-V packages (non-connection group) publish in progress.
    - **3**: App-V packages (connection group) publish in progress.
    - **4**: App-V packages unpublish in progress.| +|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
    - **1**: App-V Sync is initializing.
    - **2**: App-V Sync is in progress.
    - **3**: App-V Sync is complete.
    - **4**: App-V Sync requires device reboot.| +|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
    AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.| +|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
    AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.| \ No newline at end of file diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md index 58b23dd73f..3423d1c211 100644 --- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md @@ -1,67 +1,60 @@ --- -title: How to Configure Access to Packages by Using the Management Console (Windows 10) -description: How to Configure Access to Packages by Using the Management Console +title: How to configure access to packages by using the Management Console (Windows 10) +description: How to configure access to packages by using the App-V Management Console. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/18/2018 --- +# How to configure access to packages by using the Management Console - -# How to Configure Access to Packages by Using the Management Console - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group. Use the following procedure to configure access to virtualized packages. -**To grant access to an App-V package** +## Grant access to an App-V package -1. Find the package you want to configure: +1. Find the package you want to configure: - 1. Open the App-V Management console. + 1. Open the App-V Management console. - 2. To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane. + 1. Right-click the package to be configured, then select **Edit active directory access** to display the **AD Access** page. Alternatively, select the package and select **Edit** in the **AD Access** pane. -2. Provision a security group for the package: +2. Provision a security group for the package: - 1. Go to the **FIND VALID ACTIVE DIRECTORY NAMES AND GRANT ACCESS** page. + 1. Go to the **Find valid Active Directory names and grant access** page. - 2. Using the format **mydomain** \\ **groupname**, type the name or part of the name of an Active Directory group object, and click **Check**. + 1. Using the format **mydomain** \\ **groupname**, enter the name or part of the name of an Active Directory group object, then select **Check**. - **Note**   - Ensure that you provide an associated domain name for the group that you are searching for. + >[!NOTE]   + >Ensure that you provide an associated domain name for the group that you are searching for. -   +3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD entities with access** pane. -3. To grant access to the package, select the desired group and click **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane. +4. Select **Close** to accept the default configuration settings and close the AD Access page. -4. + To customize configurations for a specific group, select the **Assigned configurations** drop-down menu, then select **Custom**. To make changes to your custom configurations, select **Edit**. After you grant access, select **Close**. - To accept the default configuration settings and close the **AD ACCESS** page, click **Close**. +## Remove access to an App-V package - To customize configurations for a specific group, click the **ASSIGNED CONFIGURATIONS** drop-down and select **Custom**. To configure the custom configurations, click **EDIT**. After you grant access, click **Close**. +1. Find the package you want to configure: -**To remove access to an App-V package** + 1. Open the App-V Management console. -1. Find the package you want to configure: + 1. To display the **AD Access** page, right-click the package to be configured, then select **Edit active directory access**. Alternatively, select the package, then select **Edit** in the **AD Access** pane. - 1. Open the App-V Management console. +2. Select the group you want to remove, then select **Delete**. - 2. To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane. - -2. Select the group you want to remove, and click **DELETE**. - -3. To close the **AD ACCESS** page, click **Close**. +3. Select **Close**. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index 06b310e729..8c896d56e2 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -1,64 +1,65 @@ --- -title: How to Make a Connection Group Ignore the Package Version (Windows 10) -description: How to Make a Connection Group Ignore the Package Version +title: How to make a connection group ignore the package version (Windows 10) +description: How to make a connection group ignore the package version. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/18/2018 --- +# How to make a connection group ignore the package version +> Applies to: Windows 10, version 1607 -# How to Make a Connection Group Ignore the Package Version +You can use Application Virtualization (App-V) to configure a connection group to use any version of a package, simplifying package upgrades and reducing the number of connection groups you need to create. -**Applies to** -- Windows 10, version 1607 +You can also configure a connection group to accept any version of a package, so that you can upgrade the package without having to disable the connection group. -Application Virtualization (App-V) lets you configure a connection group to use any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create. +- If the connection group has access to multiple versions of a package, App-V will use the latest version. -You can configure a connection group to accept any version of a package, which enables you to upgrade the package without having to disable the connection group: +- If the connection group contains an optional package with an incorrect version, App-V ignores the package and won’t block the connection group’s virtual environment from being created. -- If the connection group has access to multiple versions of a package, the latest version is used. +- If the connection group contains a non-optional package that has an incorrect version, App-V won't be able to create the connection group’s virtual environment. -- If the connection group contains an optional package that has an incorrect version, the package is ignored and won’t block the connection group’s virtual environment from being created. +## Make a connection group ignore the package version with the App-V Server Management Console -- If the connection group contains a non-optional package that has an incorrect version, the connection group’s virtual environment cannot be created. - -## To make a connection group ignore the package version by using the App-V Server Management Console - -1. In the Management Console, select **CONNECTION GROUPS**. +1. In the Management Console, select **Connection Groups**. 2. Select the correct connection group from the Connection Groups library. -3. Click **EDIT** in the CONNECTED PACKAGES pane. +3. Select **Edit** in the Connected Packages pane. -4. Select **Use Any Version** check box next to the package name, and click **Apply**. +4. Select the **Use Any Version** check box next to the package name, then select **Apply**. -For more about adding or upgrading packages, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md). +For more about adding or upgrading packages, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md). -## To make a connection group ignore the package version from the App-V client on a stand-alone computer +## Make a connection group ignore the package version from the App-V client on a stand-alone computer 1. Create the connection group XML document. -2. For the package to be upgraded, set the **Package** tag attribute **VersionID** to an asterisk (*). +2. Set the **Package** tag attribute **VersionID** to an asterisk (*) to upgrade the package. -3. Use the following cmdlet to add the connection group, and include the path to the connection group XML document: +3. Enter the following cmdlet (including the path to the connection group XML document) to add the connection group: + + ```PowerShell + Add-AppvClientConnectionGroup + ``` + + For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientconnectiongroup?view=win10-ps). - `Add-AppvClientConnectionGroup` - 4. When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package: - - RemoveAppvClientPackage - - Add-AppvClientPackage - - Publish-AppvClientPackage + - [**Remove-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/remove-appvclientpackage?view=win10-ps) + - [**Add-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientpackage?view=win10-ps) + - [**Publish-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/publish-appvclientpackage?view=win10-ps) -For more information, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md). +For more information, see [How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md). ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Managing Connection Groups](appv-managing-connection-groups.md) +- [Managing connection groups](appv-managing-connection-groups.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md index dca7131dbf..4c9e8afc25 100644 --- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md +++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md @@ -1,46 +1,41 @@ --- -title: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server (Windows 10) -description: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server +title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10) +description: How to configure the client to receive package and connection groups updates from the publishing server. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/25/2018 --- +# How to configure the client to receive package and connection groups updates from the publishing server +>Applies to: Windows 10, version 1607 -# How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server +The App-V publishing server's single-point management and high scalability lets you deploy packages and connection groups and keep them up to date. -**Applies to** -- Windows 10, version 1607 +This article will tell you how to configure the App-V client to receive updates from the publishing server. -Deploying packages and connection groups using the App-V publishing server is helpful because it offers single-point management and high scalability. +>[!NOTE] +>The following example has the management server installed on a computer named **MyMgmtSrv**, and the publishing server installed on a computer named **MyPubSrv**. If the computers you'll be configuring the App-V client on have different names, you should replace the example's names with your computer's names. -Use the following steps to configure the App-V client to receive updates from the publishing server. +## Configure the App-V client to receive updates from the publishing server -**Note**
    -For the following procedures the management server was installed on a computer named **MyMgmtSrv**, and the publishing server was installed on a computer named **MyPubSrv**. +1. Deploy the App-V management and publishing servers, and add the required packages and connection groups. For more information about adding packages and connection groups, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) and [How to create a connection group](appv-create-a-connection-group.md). +2. To open the management console, open a web browser and enter the following URL: . Import, publish, and entitle all packages and connection groups that your users will need. +3. On the computer running the App-V client, open an elevated Windows PowerShell command prompt, and run the following command: -  - -**To configure the App-V client to receive updates from the publishing server** - -1. Deploy the App-V management and publishing servers, and add the required packages and connection groups. For more information about adding packages and connection groups, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) and [How to Create a Connection Group](appv-create-a-connection-group.md). - -2. To open the management console click the following link, open a browser and type the following: http://MyMgmtSrv/AppvManagement/Console.html in a web browser, and import, publish, and entitle all the packages and connection groups which will be necessary for a particular set of users. - -3. On the computer running the App-V client, open an elevated Windows PowerShell command prompt, and run the following command: - - `Add-AppvPublishingServer -Name ABC -URL http://MyPubSrv/AppvPublishing` + ```PowerShell + Add-AppvPublishingServer -Name ABC -URL https://MyPubSrv/AppvPublishing + ``` This command will configure the specified publishing server. You should see output similar to the following: - ``` + ```PowerShell Id                        : 1 SetByGroupPolicy          : False Name                      : ABC - URL                       : http:// MyPubSrv/AppvPublishing + URL                       : https://MyPubSrv/AppvPublishing GlobalRefreshEnabled      : False GlobalRefreshOnLogon      : False GlobalRefreshInterval     : 0 @@ -51,16 +46,18 @@ For the following procedures the management server was installed on a computer n UserRefreshIntervalUnit   : Day ``` -4. On the computer running the App-V client, open a Windows PowerShell command prompt, and type the following command: +4. On the computer running the App-V client, open a Windows PowerShell command prompt and enter the following cmdlet: - `Sync-AppvPublishingServer -ServerId 1` + ```PowerShell + Sync-AppvPublishingServer -ServerId 1 + ``` - The command will query the publishing server for the packages and connection groups that need to be added or removed for this particular client based on the entitlements for the packages and connection groups as configured on the management server. + This cmdlet will query the publishing server for which packages and connection groups need to be added or removed for this particular client based on your configured entitlements for the packages and connection groups on the management server. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +* [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index 4da1633e90..dc2e364c79 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -1,30 +1,28 @@ --- -title: How to Connect to the Management Console (Windows 10) -description: How to Connect to the Management Console +title: How to connect to the Management Console (Windows 10) +description: How to Connect to the App-V Management Console. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/25/2018 --- +# How to connect to the Management Console -# How to Connect to the Management Console - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 Use the following procedure to connect to the App-V Management Console. -**To connect to the App-V Management Console** +## Connect to the App-V Management Console -1. Open Internet Explorer browser and type the address for the App-V Management server. For example, **https://\<_management server name_\>:\<_management service port number_\>/console.html**. +1. Open your web browser and enter the address for the App-V Management server. For example, **https://\<_management server name_\>:\<_management service port number_\>/console.html**. -2. To view different sections of the console, click the desired section in the navigation pane. +2. To view different sections of the console, select your desired section in the navigation pane. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md index 2c0d1e7208..06c74f260d 100644 --- a/windows/application-management/app-v/appv-connection-group-file.md +++ b/windows/application-management/app-v/appv-connection-group-file.md @@ -1,159 +1,62 @@ --- -title: About the Connection Group File (Windows 10) -description: About the Connection Group File +title: About the connection group file (Windows 10) +description: A summary of what the connection group file is and how to configure it. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/25/2018 --- +# About the connection group file +>Applies to: Windows 10, version 1607 -# About the Connection Group File +## Connection group file overview -**Applies to** -- Windows 10, version 1607 +### What is a connection group? -**In this topic:** +A connection group is an App-V feature that can group packages together to create a virtual environment where applications within that package group can interact with each other. -- [Connection group file purpose and location](#bkmk-cg-purpose-loc) +For example, let's say you want to use plug-ins with Microsoft Office. You can create one package that contains the plug-ins and another package that contains Office, and then add both packages to the same connection group to enable Office to use those plug-ins. -- [Structure of the connection group XML file](#bkmk-define-cg-5-0sp3) +### How a connection group file works -- [Configuring the priority of packages in a connection group](#bkmk-config-pkg-priority-incg) +When you apply an App-V connection group file, all packages specified in the file will be combined at runtime into a single virtual environment. Use the Microsoft Application Virtualization (App-V) connection group file to configure existing App-V connection groups. -- [Supported virtual application connection configurations](#bkmk-va-conn-configs) +An example file path for a package file would be %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\{6CCC7575-162E-4152-9407-ED411DA138F4}\{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}. -## Connection group file purpose and location +## Structure of the connection group XML file +This section will tell you more about the components of the connection group XML file. - ---- - - - - - - - - - - - - - - -

    Connection group purpose

    A connection group is an App-V feature that enables you to group packages together to create a virtual environment in which the applications in those packages can interact with each other.

    -

    Example: You want to use plug-ins with Microsoft Office. You can create a package that contains the plug-ins, and create another package that contains Office, and then add both packages to a connection group to enable Office to use those plug-ins.

    How the connection group file works

    When you apply an App-V connection group file, the packages that are enumerated in the file will be combined at runtime into a single virtual environment. Use the Microsoft Application Virtualization (App-V) connection group file to configure existing App-V connection groups.

    Example file path

    %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\{6CCC7575-162E-4152-9407-ED411DA138F4}\{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}.

    - -  - -## Structure of the connection group XML file - - -**In this section:** - -- [Parameters that define the connection group](#bkmk-params-define-cg) - -- [Parameters that define the packages in the connection group](#bkmk-params-define-pkgs-incg) - -- [App-V example connection group XML file](#bkmk-50sp3-exp-cg-xml) - -### Parameters that define the connection group +### Parameters that define the connection group The following table describes the parameters in the XML file that define the connection group itself, not the packages. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldDescription

    Schema name

    Name of the schema.

    -

    If you want to use the “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:

    -

    xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"

    AppConnectionGroupId

    Unique GUID identifier for this connection group. The connection group state is associated with this identifier. Specify this identifier only when you create the connection group.

    -

    You can create a new GUID by typing: [Guid]::NewGuid().

    VersionId

    Version GUID identifier for this version of the connection group.

    -

    When you update a connection group (for example, by adding or updating a new package), you must update the version GUID to reflect the new version.

    DisplayName

    Display name of the connection group.

    Priority

    Optional priority field for the connection group.

    -

    “0” - indicates the highest priority.

    -

    If a priority is required, but has not been configured, the package will fail because the correct connection group to use cannot be determined.

    +|Field|Description| +|-----|-----------| +|Schema name|Name of the schema.
    If you want to use the “optional packages” and “use any version” features described in this table, you must specify the following schema in the XML file:
    `xmlns="https://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"`| +|AppConnectionGroupId|Unique GUID identifier for this connection group. The connection group state is associated with this identifier. Specify this identifier only when you create the connection group.
    You can create a new GUID by entering **[Guid]::NewGuid()**.| +|VersionId|Version GUID identifier for this version of the connection group.
    When you update a connection group (for example, by adding or updating a new package), you must update the version GUID to reflect the new version.| +|DisplayName|Display name of the connection group.| +|Priority|Optional priority field for the connection group.
    A value of **0** indicates the highest priority.
    If a priority is required but has not been configured, the package will fail because it can't determine the correct connection group to use.| -  +### Parameters that define the packages in the connection group -### Parameters that define the packages in the connection group +In the **<Packages>** section of the connection group XML file, you list the member packages in the connection group by specifying each package’s unique package identifier and version identifier, as described in the following table. The first package in the list has the highest precedence. -In the <Packages> section of the connection group XML file, you list the member packages in the connection group by specifying each package’s unique package identifier and version identifier, as described in the following table. The first package in the list has the highest precedence. +|Field|Description| +|---|---| +|PackageId|Unique GUID identifier for this package. This GUID doesn’t change when newer versions of the package are published.| +|VersionId|Unique GUID identifier for the version of the package.
    If you specify “*” for the package version, the GUID of the latest available package version is dynamically inserted.| +|IsOptional|Parameter that enables you to make a package optional within the connection group. Valid entries are:
    - “**true**”—package is optional in the connection group
    - “**false**”—package is required in the connection group| - ---- - - - - - - - - - - - - - - - - - - - - -
    FieldDescription

    PackageId

    Unique GUID identifier for this package. This GUID doesn’t change when newer versions of the package are published.

    VersionId

    Unique GUID identifier for the version of the package.

    -

    If you specify “*” for the package version, the GUID of the latest available package version is dynamically inserted.

    IsOptional

    Parameter that enables you to make a package optional within the connection group. Valid entries are:

    -
      -

    • “true” – package is optional in the connection group

      • -

    • “false” – package is required in the connection group

      • -
    -
    +### App-V example connection group XML file -  +The following example connection group XML file shows examples of the fields listed in the previous tables. -### App-V example connection group XML file - -The following example connection group XML file shows examples of the fields in the previous tables. - -``` +```XML + /> Configuring the priority of packages in a connection group - +## Configuring the priority of packages in a connection group Package precedence is configured using the package list order. The first package in the document has the highest precedence. Subsequent packages in the list have descending priority. @@ -185,84 +87,56 @@ Package precedence is the resolution for otherwise inevitable resource collision You can use the connection group file to configure each connection group by using the following methods: -- Specify runtime priorities for connection groups. To edit priority by using the App-V Management Console, click the connection group and then click **Edit**. +- Specify runtime priorities for connection groups. To edit priority by using the App-V Management Console, select the connection group and then select **Edit**. - **Note**   - Priority is required only if the package is associated with more than one connection group. + >[!NOTE] + >A package only requires priority if it's associated with more than one connection group. +- Specify package precedence within the connection group. -   +The priority field is required when a running virtual application initiates from a native application request, such as Microsoft Windows Explorer. The App-V client uses the priority to determine which connection group virtual environment the application should run in. This situation occurs if a virtual application is part of multiple connection groups. -- Specify package precedence within the connection group. +If a virtual application is opened using another virtual application, the client will use the orignal virtual application's virtual environment. The priority field is not used in this case. -The priority field is required when a running virtual application initiates from a native application request, for example, Microsoft Windows Explorer. The App-V client uses the priority to determine which connection group virtual environment the application should run in. This situation occurs if a virtual application is part of multiple connection groups. - -If a virtual application is opened using another virtual application the virtual environment of the original virtual application will be used. The priority field is not used in this case. - -**Example:** +The following is an example of priority configuration: The virtual application Microsoft Outlook is running in virtual environment **XYZ**. When you open an attached Microsoft Word document, a virtualized version Microsoft Word opens in the virtual environment **XYZ**, regardless of the virtualized Microsoft Word’s associated connection groups or runtime priorities. -## Supported virtual application connection configurations +## Supported virtual application connection configurations -The following application connection configurations are supported. +App-V supports the following application connection configurations. -- **An. exe file and plug-in (.dll)**. For example, you might want to distribute Microsoft Office to all users, but distribute a Microsoft Excel plug-in to only a subset of users. +- **An .exe file and plug-in (.dll)**. For example, you might want to distribute Microsoft Office to all users, but only distribute a Microsoft Excel plug-in to a small subset of those users. Enable the connection group for the appropriate users. Update each package individually as required. -- **An. exe file and a middleware application**. You might have an application that requires a middleware application, or several applications that all depend on the same middleware runtime version. +- **An .exe file and a middleware application**. This is for cases where you have an application that requires a middleware application, or several applications that all depend on the same middleware runtime version. All computers that require one or more of the applications receive the connection groups with the application and middleware application runtime. You can optionally combine multiple middleware applications into a single connection group. - - - - - - - - - - - - - - - - - - - - - -
    ExampleExample description

    Virtual application connection group for the financial division

      -

    • Middleware application 1

      • -

    • Middleware application 2

      • -

    • Middleware application 3

      • -

    • Middleware application runtime

      • -

    Virtual application connection group for HR division

      -

    • Middleware application 5

      • -

    • Middleware application 6

      • -

    • Middleware application runtime

      • -
    + |Example|Example description| + |---|---| + |Virtual application connection group for the financial division|- Middleware application 1
    - Middleware application 2
    - Middleware application 3
    - Middleware application runtime| + |Virtual application connection group for HR division|- Middleware application 5
    - Middleware application 6
    - Middleware application runtime| -- **An. exe file and an .exe file**. You might have an application that relies on another application, and you want to keep the packages separate for operational efficiencies, licensing restrictions, or rollout timelines. +- **An. exe file and an .exe file**. This is for cases where you have an application that relies on another application, but you want to keep the packages separate for operational efficiencies, licensing restrictions, or rollout timelines. For example, if you are deploying Microsoft Lync 2010, you can use three packages: - - Microsoft Office 2010 + + - Microsoft Office 2010 - Microsoft Communicator 2007 - - Microsoft Lync 2010

    - - You can manage the deployment using the following connection groups: + - Microsoft Lync 2010 + + You can manage the deployment with the following connection groups: + - Microsoft Office 2010 and Microsoft Communicator 2007 - - Microsoft Office 2010 and Microsoft Lync 2010

    - - When the deployment has completed, you can either create a single new Microsoft Office 2010 + Microsoft Lync 2010 package, or keep and maintain them as separate packages and deploy them by using a connection group. + - Microsoft Office 2010 and Microsoft Lync 2010 + + After deployment, you can either create a single new Microsoft Office 2010 + Microsoft Lync 2010 package or keep and maintain them as separate packages and deploy them with a connection group. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Managing Connection Groups](appv-managing-connection-groups.md) +- [Managing connection groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index 6ba91b41f8..26a2f399c9 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -1,112 +1,69 @@ --- -title: About the Connection Group Virtual Environment (Windows 10) -description: About the Connection Group Virtual Environment +title: About the connection group virtual environment (Windows 10) +description: Overview of how the connection group virtual environment works. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 06/25/2018 --- +# About the connection group virtual environment +>Applies to: Windows 10, version 1607 -# About the Connection Group Virtual Environment +## How package priority is determined -**Applies to** -- Windows 10, version 1607 - -**In this topic:** - -- [How package priority is determined](#bkmk-pkg-priority-deter) - -- [Merging identical package paths into one virtual directory in connection groups](#bkmk-merged-root-ve-exp) - -## How package priority is determined - - -The virtual environment and its current state are associated with the connection group, not with the individual packages. If an App-V package is removed from the connection group, the state that existed as part of the connection group will not migrate with the package. +The virtual environment and its current state are associated with the connection group, not with the individual packages. If you remove an App-V package from the connection group, the state that existed as part of the connection group will not migrate with the package. If the same package is a part of two different connection groups, you have to indicate which connection group App-V should use. For example, you might have two packages in a connection group that each define the same registry DWORD value. The connection group that is used is based on the order in which a package appears inside the **AppConnectionGroup** XML document: -- The first package has the highest precedence. - -- The second package has the second highest precedence. +- The first package has the highest precedence. +- The second package has the second highest precedence. Consider the following example section: -``` syntax +```XML ``` -Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package, such as: +Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package. -- Package 1 (A8731008-4523-4713-83A4-CD1363907160): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5 +For this example, the DWORD value definition would be the following: -- Package 3 (04220DCA-EE77-42BE-A9F5-96FD8E8593F2): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=10 +- Package 1 (A8731008-4523-4713-83A4-CD1363907160): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5 +- Package 3 (04220DCA-EE77-42BE-A9F5-96FD8E8593F2): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=10 Since Package 1 appears first, the AppConnectionGroup's virtual environment will have the single DWORD value of 5 (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5). This means that the virtual applications in Package 1, Package 2, and Package 3 will all see the value 5 when they query for HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region. -Other virtual environment resources are resolved similarly, but the usual case is that the collisions occur in the registry. +Other virtual environment resources are resolved in a similar way, but usually collisions occur in the registry. -## Merging identical package paths into one virtual directory in connection groups +## Merging identical package paths into one virtual directory in connection groups +If two or more packages in a connection group contain identical directory paths, the paths are merged into a single virtual directory inside the connection group's virtual environment. Merging these paths allows an application in one package to access files that are in a different package. -If two or more packages in a connection group contain identical directory paths, the paths are merged into a single virtual directory inside the connection group virtual environment. This merging of paths allows an application in one package to access files that are in a different package. +When you remove a package from a connection group, the removed package's applications can no longer access files from packages in the connection group it was removed from. -When you remove a package from a connection group, the applications in that removed package are no longer able to access files in the remaining packages in the connection group. - -The order in which App-V looks up a file’s name in the connection group is specified by the order in which the App-V packages are listed in the connection group manifest file. +App-V looks up a file’s name in the connection group in the order App-V packages are listed in the connection group manifest file. The following example shows the order and relationship of a file name lookup in a connection group for **Package A** and **Package B**. - ---- - - - - - - - - - - - - - - - - -
    Package APackage B

    C:\Windows\System32

    C:\Windows\System32

    C:\AppTest

    C:\AppTest

    +|Package A|Package B| +|---|---| +|C:\Windows\System32|C:\Windows\System32| +|C:\AppTest|C:\AppTest| -  +When a virtualized application tries to find a specific file, App-V will first for a matching file path in Package A. If it doesn't find a matching path in Package A, it will then search Package B using the following mapping rules: -In the example above, when a virtualized application tries to find a specific file, Package A is searched first for a matching file path. If a matching path is not found, Package B is searched, using the following mapping rules: - -- If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, the first matching file is used. - -- If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, the first matching file is used. +- If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, App-V will use the first matching file. +- If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, App-V will use the first matching file. ## Have a suggestion for App-V? - -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics - -[Managing Connection Groups](appv-managing-connection-groups.md) - -  - -  - - - - - +- [Managing Connection Groups](appv-managing-connection-groups.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 83cff76b90..9ee866698b 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -1,64 +1,92 @@ --- -title: How to Convert a Package Created in a Previous Version of App-V (Windows 10) -description: How to Convert a Package Created in a Previous Version of App-V +title: How to convert a package created in a previous version of App-V (Windows 10) +description: How to convert a package created in a previous version of App-V. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/10/2018 --- +# How to convert a package created in a previous version of App-V +>Applies to: Windows 10, version 1607 -# How to Convert a Package Created in a Previous Version of App-V +You can use the package converter utility to upgrade virtual application packages created by previous versions of App-V. This section will tell you how to convert existing virtual application packages for upgrade. -**Applies to** -- Windows 10, version 1607 +>[!NOTE] +>If you are running a computer with a 64-bit architecture, you must use the x86 version of Windows PowerShell. -You can use the package converter utility to upgrade virtual application packages that have been created with previous versions of App-V. +The package converter can only directly convert packages created by an App-V sequencer version 4.5 or later. Packages created with an App-V version earlier than 4.5 must be upgraded to at least App-V 4.5 before conversion. -> [!NOTE] -> If you are running a computer with a 64-bit architecture, you must use the x86 version of Windows PowerShell. - -The package converter can only directly convert packages that were created by using the App-V 4.5 sequencer or later. Packages that were created using a version prior to App-V 4.5 must be upgraded to at least App-V 4.5 before conversion. - -The following information provides direction for converting existing virtual application packages. - -> [!IMPORTANT] -> You must configure the package converter to always save the package ingredients file to a secure location and directory. A secure location is accessible only by an administrator. Additionally, when you deploy the package, you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion process. +>[!IMPORTANT] +>In order to keep your files secure, you must configure the package converter to always save the package ingredients file to a secure location and directory that can only be accessed by an administrator. When you deploy the package, you should either save the package to a secure location or make sure that no other users can sign in during the conversion process. ## App-V 4.6 installation folder is redirected to virtual file system root -When you convert packages from App-V 4.6 to App-V for Windows 10, the App-V for Windows 10 package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive letter is Q:\\.) +When you convert packages from App-V 4.6 to App-V for Windows 10, the App-V for Windows 10 package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive is drive Q.) -**Technical Details:** The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the Filesystem element. When the App-V for Windows 10 client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root. +The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the **Filesystem** element. When the App-V for Windows 10 client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root. ## Getting started -1. Install the App-V Sequencer on a computer in your environment. For information about how to install the Sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md). +1. Install the App-V Sequencer on a computer in your environment. For information about how to install the Sequencer, see [How to install the Sequencer](appv-install-the-sequencer.md). -2. The following cmdlets are available: +2. You can enter the following cmdlets to check or convert packages: - - **Test-AppvLegacyPackage** – This cmdlet is designed to check packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, type `Test-AppvLegacyPackage -?`. + - **Test-AppvLegacyPackage**—This cmdlet checks packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in-depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, enter the following cmdlet: - - **ConvertFrom-AppvLegacyPackage** – To convert an existing package, type `ConvertFrom-AppvLegacyPackage c:\contentStore c:\convertedPackages`. In this command, `c:\contentStore` represents the location of the existing package and `c:\convertedPackages` is the output directory to which the resulting App-V for Windows 10 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. + ```PowerShell + Test-AppvLegacyPackage -? + ``` - Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. + - **ConvertFrom-AppvLegacyPackage**—This cmdlet converts packages from legacy versions to updated versions. To convert an existing package, enter the following cmdlet: - > [!NOTE] - > Before you specify the output directory, you must create the output directory. + ```PowerShell + ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages + ``` + + In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows 10 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. + + Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. + + >[!NOTE] + >Before you specify the output directory, you must create the output directory. ### Advanced Conversion Tips -- Piping - Windows PowerShell supports piping. Piping allows you to call `dir c:\contentStore\myPackage | Test-AppvLegacyPackage`. In this example, the directory object that represents `myPackage` will be given as input to the `Test-AppvLegacyPackage` command and bound to the `-Source` parameter. Piping like this is especially useful when you want to batch commands together; for example, `dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages`. This piped command would test the packages and then pass those objects on to actually be converted. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V client. +- Piping—Windows PowerShell supports piping. Piping allows you to enter cmdlets like this example: -- Batching - The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the `-Source` parameter which represents a list of directory paths. This allows you to enter `$packages = dir c:\contentStore` and then call `ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target c:\ConvertedPackages` or to use piping and call `dir c:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages`. + ```PowerShell + dir C:\contentStore\myPackage | Test-AppvLegacyPackage + ``` -- Other functionality - Windows PowerShell has other built-in functionality for features such as aliases, piping, lazy-binding, .NET object, and many others. All of these are usable in Windows PowerShell and can help you create advanced scenarios for the Package Converter. + In this example, the directory object that represents `myPackage` will be given as input to the **Test-AppvLegacyPackage** cmdlet and bound to the *-Source* parameter. Piping like this is especially useful when you want to batch commands together, such as in the following example cmdlet: + + ```PowerShell + dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages + ``` + + This piped example command tests packages, then passes the objects on for conversion. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V client. + +- Batching—The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the *-Source* parameter that represents a list of directory paths. This allows you to enter the following cmdlets together: + + ```PowerShell + $packages = dir C:\contentStore + ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target C:\ConvertedPackages + ``` + + Alternatively, you can use piping like this: + + ```PowerShell + dir C:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages + ``` + +- Other functionality—Windows PowerShell has other built-in functionality for features such as aliases, lazy-binding, .NET Object, and many others. These features can help you create advanced scenarios for the Package Converter. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 5a13170e82..19b27e45f8 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -1,87 +1,63 @@ --- -title: How to Create a Connection Group with User-Published and Globally Published Packages (Windows 10) -description: How to Create a Connection Group with User-Published and Globally Published Packages +title: How to create a connection croup with user-published and globally published packages (Windows 10) +description: How to create a connection croup with user-published and globally published packages. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/10/2018 --- +# How to create a connection croup with user-published and globally published packages - -# How to Create a Connection Group with User-Published and Globally Published Packages - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods: -- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-windows-powershell-cmdlets-to-create-user-entitled-connection-groups) +- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-windows-powershell-cmdlets-to-create-user-entitled-connection-groups) +- [How to use the App-V Server to create user-entitled connection groups](#how-to-use-the-app-v-server-to-create-user-entitled-connection-groups) -- [How to use the App-V Server to create user-entitled connection groups](#how-to-use-the-app-v-server-to-create-user-entitled-connection-groups) +## Unsupported scenarios and potential issues -## What to know before you start: +Here are some important things to know before you get started: - ---- - - - - - - - - - - - - - - - - -
    Unsupported scenarios and potential issuesResult

    You cannot include user-published packages in globally entitled connection groups.

    The connection group will fail.

    If you publish a package globally and then create a user-published connection group in which you’ve made that package non-optional, you can still run Unpublish-AppvClientPackage <package> -global to unpublish the package, even when that package is being used in another connection group.

    If any other connection groups are using that package, the package will fail in those connection groups.

    -

    To avoid inadvertently unpublishing a non-optional package that is being used in another connection group, we recommend that you track the connection groups in which you’ve used a non-optional package.

    - -  +- If you add user-published packages in globally entitled connection groups, the connection group will fail. +- Track the connection groups where you've used a non-optional package before removing it with the **Unpublish-AppvClientPackage <package> -global** cmdlet. + + In situations where you have a gobally published package that's listed as non-optional in a user-published connection group that also appears in other packages, running **Unpublish-AppvClientPackage <package> -global** cmdlet can unpublish the package from every connection group containing that package. Tracking connection groups can help you avoid unintentionally unpublishing non-optional packages. ## How to use Windows PowerShell cmdlets to create user-entitled connection groups -1. Add and publish packages by using the following commands: +1. Add and publish packages by using the following commands: - ``` + ```PowerShell Add-AppvClientPackage Add-AppvClientPackage Publish-AppvClientPackage -PackageId  -VersionId -Global Publish-AppvClientPackage -PackageId -VersionId  ``` -2. Create the connection group XML file. For more information, see [About the Connection Group File](appv-connection-group-file.md). +2. Create the connection group XML file. For more information, see [About the connection group file](appv-connection-group-file.md). -3. Add and publish the connection group by using the following commands: +3. Add and publish the connection group by using the following commands: - ``` + ```PowerShell Add-AppvClientConnectionGroup Enable-AppvClientConnectionGroup -GroupId  -VersionId ``` ## How to use the App-V Server to create user-entitled connection groups -1. Open the App-V Management Console. +1. Open the App-V Management Console. -2. Follow the instructions in [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md) to publish packages globally and to the user. +2. Follow the instructions in [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md) to publish packages globally and to the user. -3. Follow the instructions in [How to Create a Connection Group](appv-create-a-connection-group.md) to create the connection group, and add the user-published and globally published packages. +3. Follow the instructions in [How to create a connection group](appv-create-a-connection-group.md) to create the connection group and add the user-published and globally published packages. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics - -[Managing Connection Groups](appv-managing-connection-groups.md) +- [Managing Connection Groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 144900c14b..661b95326d 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -1,51 +1,47 @@ --- -title: How to Create a Connection Group (Windows 10) -description: How to Create a Connection Group +title: How to create a connection group (Windows 10) +description: How to create a connection group with the App-V Management Console. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/10/2018 --- +# How to create a connection group +>Applies to: Windows 10, version 1607 -# How to Create a Connection Group +Use these steps to create a connection group by using the App-V Management Console. To use Windows PowerShell to create connection groups, see [How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md). -**Applies to** -- Windows 10, version 1607 +When you place packages in a connection group, their package root paths merge. If you remove packages, only the remaining packages maintain the merged root. -Use these steps to create a connection group by using the App-V Management Console. To use Windows PowerShell to create connection groups, see [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md). +## Create a connection group -When you place packages in a connection group, their package root paths are merged. If you remove packages, only the remaining packages maintain the merged root. +1. In the App-V Management Console, select **CONNECTION GROUPS** to display the Connection Groups library. -**To create a connection group** +2. Select **ADD CONNECTION GROUP** to create a new connection group. -1. In the App-V Management Console, select **CONNECTION GROUPS** to display the Connection Groups library. +3. In the **New Connection Group** pane, enter a description for the group. -2. Select **ADD CONNECTION GROUP** to create a new connection group. +4. Select **EDIT** in the **CONNECTED PACKAGES** pane to add a new application to the connection group. -3. In the **New Connection Group** pane, type a description for the group. +5. In the **PACKAGES Entire Library** pane, select the application to be added, then select the arrow to add the application. -4. Click **EDIT** in the **CONNECTED PACKAGES** pane to add a new application to the connection group. - -5. In the **PACKAGES Entire Library** pane, select the application to be added, and click the arrow to add the application. - - To remove an application, select the application to be removed in the **PACKAGES IN** pane and click the arrow. + To remove an application, select the application to be removed in the **PACKAGES IN** pane and select the arrow. To reprioritize the applications in your connection group, use the arrows in the **PACKAGES IN** pane. - **Important**
    - By default, the Active Directory Domain Services access configurations that are associated with a specific application are not added to the connection group. To transfer the Active Directory access configuration, select **ADD PACKAGE ACCESS TO GROUP ACCESS**, which is located in the **PACKAGES IN** pane. + >[!IMPORTANT] + >By default, the Active Directory Domain Services access configurations that are associated with a specific application are not added to the connection group. To transfer the Active Directory access configuration, select **ADD PACKAGE ACCESS TO GROUP ACCESS**, which is located in the **PACKAGES IN** pane. -6. After adding all the applications and configuring Active Directory access, click **Apply**. +6. After adding all the applications and configuring Active Directory access, select **Apply**. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) - -[Managing Connection Groups](appv-managing-connection-groups.md) +- [Operations for App-V](appv-operations.md) +- [Managing connection groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 3aea6099e5..a2d704e613 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -1,41 +1,38 @@ --- -title: How to Create a Custom Configuration File by Using the App-V Management Console (Windows 10) -description: How to Create a Custom Configuration File by Using the App-V Management Console +title: How to create a custom configuration file by using the App-V Management Console (Windows 10) +description: How to create a custom configuration file by using the App-V Management Console. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/10/2018 --- +# How to create a custom configuration file by using the App-V Management Console +>Applies to: Windows 10, version 1607 -# How to Create a Custom Configuration File by Using the App-V Management Console +You can use a dynamic configuration to customize an App-V package for a specific user. However, you must first create the dynamic user configuration (.xml) file or the dynamic deployment configuration file before you can use the files. Creation of the file is an advanced manual operation. For general information about dynamic user configuration files, see [About App-V dynamic configuration](appv-dynamic-configuration.md). -**Applies to** -- Windows 10, version 1607 +You can create a dynamic user configuration file with the App-V Management Console by following the steps in this article. -You can use a dynamic configuration to customize an App-V package for a specific user. However, you must first create the dynamic user configuration (.xml) file or the dynamic deployment configuration file before you can use the files. Creation of the file is an advanced manual operation. For general information about dynamic user configuration files, see, [About App-V Dynamic Configuration](appv-dynamic-configuration.md). +## Create a dynamic user configuration file -Use the following procedure to create a Dynamic User Configuration file by using the App-V Management console. +1. Right-click the name of the package that you want to view and select **Edit active directory access** to view the configuration that is assigned to a given user group. Alternatively, select the package, and click **Edit**. -**To create a Dynamic User Configuration file** +2. Using the list of **AD Entities with Access**, select the AD group that you want to customize. Select **Custom** from the drop-down list. A link named **Edit** will appear. -1. Right-click the name of the package that you want to view and select **Edit active directory access** to view the configuration that is assigned to a given user group. Alternatively, select the package, and click **Edit**. +3. Select **Edit**. The Dynamic User Configuration assigned to the AD Group will appear. -2. Using the list of **AD Entities with Access**, select the AD group that you want to customize. Select **Custom** from the drop-down list, if it is not already selected. A link named **Edit** will be displayed. +4. Select **Advanced**, and then select **Export Configuration**. Enter a file name and select **Save**. Now you can edit the file to configure a package for a user. -3. Click **Edit**. The Dynamic User Configuration that is assigned to the AD Group will be displayed. - -4. Click **Advanced**, and then click **Export Configuration**. Type in a filename and click **Save**. Now you can edit the file to configure a package for a user. - - **Note**   - To export a configuration while running on Windows Server, you must disable "IE Enhanced Security Configuration". If this is enabled and set to block downloads, you cannot download anything from the App-V Server. + >[!NOTE]   + >If you want to export a configuration while running on Windows Server, make sure to disable the IE Enhanced Security Configuration setting. If this setting is enabled and set to block downloads, you won't be able to download anything from the App-V Server. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +- [Operations for App-V](appv-operations.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 5d001bf498..7c228e7c4d 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -1,50 +1,47 @@ --- -title: How to Create a Package Accelerator by Using Windows PowerShell (Windows 10) -description: How to Create a Package Accelerator by Using Windows PowerShell +title: How to create a package accelerator by using Windows PowerShell (Windows 10) +description: How to create a package accelerator with Windows PowerShell. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/10/2018 --- +# How to create a package accelerator by using Windows PowerShell +>Applies to: Windows 10, version 1607 -# How to Create a Package Accelerator by Using Windows PowerShell +App-V Package Accelerators automatically sequence large, complex applications. Also, when you apply an App-V Package Accelerator, you don't have to manually install an application to create the virtualized package. -**Applies to** -- Windows 10, version 1607 +## Create a package accelerator -App-V package accelerators automatically sequence large, complex applications. Additionally, when you apply an App-V package accelerator, you are not always required to manually install an application to create the virtualized package. +1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). +2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. +3. Make sure that you have the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +4. Enter the **New-AppvPackageAccelerator** cmdlet. -**To create a package accelerator** + The following parameters are required to use the package accelerator cmdlet: -1. Install the App-V sequencer. For more information about installing the sequencer see [How to Install the Sequencer](appv-install-the-sequencer.md). + - *InstalledFilesPath* specifies the application installation path. + - *Installer* specifies the path to the application installer media. + - *InputPackagePath* specifies the path to the .appv package. + - *Path* specifies the output directory for the package. -2. To open a Windows PowerShell console, click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. Use the **New-AppvPackageAccelerator** cmdlet. + The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media: -3. To create a package accelerator, make sure that you have the .appv package to create an accelerator from, the installation media or installation files, and optionally a read me file for consumers of the accelerator to use. The following parameters are required to use the package accelerator cmdlet: + ```PowerShell + New-AppvPackageAccelerator -InputPackagePath -Installer -Path + ``` - - **InstalledFilesPath** - specifies the application installation path. + You can also use the following optional parameter with the **New-AppvPackageAccelerator** cmdlet: - - **Installer** – specifies the path to the application installer media - - - **InputPackagePath** – specifies the path to the .appv package - - - **Path** – specifies the output directory for the package. - - The following example displays how you can create a package accelerator with an .appv package and the installation media: - - **New-AppvPackageAccelerator -InputPackagePath <path to the .appv file> -Installer <path to the installer executable> -Path <directory of the output path>** - - An additional optional parameter that can be used with the **New-AppvPackageAccelerator** cmdlet is as follows: - - - **AcceleratorDescriptionFile** - specifies the path to user created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be packaged with the package created using the package accelerator. + - *AcceleratorDescriptionFile* specifies the path to user-created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be included in the package created by the package accelerator. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) +- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index b62f27281a..49be3c2a97 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -1,79 +1,77 @@ --- -title: How to Create a Package Accelerator (Windows 10) -description: How to Create a Package Accelerator +title: How to create a package accelerator (Windows 10) +description: How to create a package accelerator. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/10/2018 --- +# How to create a package accelerator +>Applies to: Windows 10, version 1607 -# How to Create a Package Accelerator +App-V Package Accelerators automatically generate new virtual application packages. -**Applies to** -- Windows 10, version 1607 - -App-V package accelerators automatically generate new virtual application packages. - ->**Note**  You can use Windows PowerShell to create a package accelerator. For more information see [How to Create a Package Accelerator by Using Windows PowerShell](appv-create-a-package-accelerator-with-powershell.md). +>[!NOTE] +>You can use Windows PowerShell to create a package accelerator. For more information, see [How to create a package accelerator by using Windows PowerShell](appv-create-a-package-accelerator-with-powershell.md). Use the following procedure to create a package accelerator. ->**Important** -> - Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied. -> - Before you begin the following procedure, perform the following: - - Copy the virtual application package that you will use to create the package accelerator locally to the computer running the sequencer. - - Copy all required installation files associated with the virtual application package to the computer running the sequencer. -> - The App-V Sequencer does not grant any license rights to the software application you are using to create the Package Accelerator. You must abide by all end user license terms for the application you are using. It is your responsibility to make sure the software application’s license terms allow you to create a Package Accelerator using App-V Sequencer. +>[!IMPORTANT] +> +>- Because package accelerators can contain password and user-specific information, you should save package accelerators and the associated installation media in a secure location, and you should also digitally sign the package accelerator after creating it so that you can verify the publisher when applying the App-V Package Accelerator. +>- Before you begin creating a package accelerator, do the following: +> - Copy the virtual application package that you will use to create the package accelerator locally to the computer running the sequencer. +> - Copy all required installation files associated with the virtual application package to the computer running the sequencer. +>- The App-V Sequencer does not grant any license rights to the software application you are using to create the package accelerator. You must abide by all end user license terms for the application you are using. It is your responsibility to make sure the software application’s license terms allow you to create a package accelerator with the App-V sequencer. -## To create a package accelerator +## Create a package accelerator -1. To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. +1. To start the App-V sequencer on the computer running the sequencer, select **Start** > **All Programs** > **Microsoft Application Virtualization** > **Microsoft Application Virtualization Sequencer**. -2. To start the App-V **Create Package Accelerator** wizard, in the App-V sequencer console, click **Tools** / **Create Accelerator**. +2. To start the App-V **Create Package Accelerator** wizard, in the App-V sequencer console, select **Tools** > **Create Accelerator**. -3. On the **Select Package** page, to specify an existing virtual application package to use to create the Package Accelerator, click **Browse**, and locate the existing virtual application package (.appv file). +3. On the **Select Package** page, select **Browse** to specify an existing virtual application package to use to create the package accelerator, then locate the existing virtual application package (it will appear as an .appv file). - **Tip**
    - Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer. - - Click **Next**. + >[!TIP] + >Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer. -4. On the **Installation Files** page, to specify the folder that contains the installation files that you used to create the original virtual application package, click **Browse**, and then select the directory that contains the installation files. + Select **Next**. - **Tip**
    - Copy the folder that contains the required installation files to the computer running the Sequencer. +4. Go to the **Installation Files** page and select **Browse**, then select the directory that contains the installation files to specify the folder containing the original virtual package's installation files. -5. If the application is already installed on the computer running the sequencer, to specify the installation file, select **Files installed on local system**. To use this option, the application must already be installed in the default installation location. + >[!TIP] + >Copy the folder that contains the required installation files to the computer running the Sequencer. -6. On the **Gathering Information** page, review the files that were not found in the location specified on the **Installation Files** page of this wizard. If the files displayed are not required, select **Remove these files**, and then click **Next**. If the files are required, click **Previous** and copy the required files to the directory specified on the **Installation Files** page. +5. If the application is already installed on the computer running the sequencer, then select **Files installed on local system** to specify the installation file. To use this option, the application must already be installed in the default installation location. - **Note**
    - You must either remove the unrequired files, or click **Previous** and locate the required files to advance to the next page of this wizard. +6. On the **Gathering Information** page, review the files that you couldn't find in the location specified by the **Installation Files** page. If the files displayed are not required, select **Remove these files**, then select **Next**. If the files are required, select **Previous** and copy the required files to the directory specified on the **Installation Files** page. -7. On the **Select Files** page, carefully review the files that were detected, and clear any file that should be removed from the package accelerator. Select only files that are required for the application to run successfully, and then click **Next**. + >[!NOTE] + >You must either remove the unrequired files or select **Previous** and locate the required files to advance to the next page of this wizard. -8. On the **Verify Applications** page, confirm that all installation files that are required to build the package are displayed. When the Package Accelerator is used to create a new package, all installation files displayed in the **Applications** pane are required to create the package. +7. On the **Select Files** page, carefully review the detected files. Clear any file the package accelerator doesn't need to run successfully and select only the files that the application requires. When you're done, select **Next**. - If necessary, to add additional Installer files, click **Add**. To remove unnecessary installation files, select the Installer file, and then click **Delete**. To edit the properties associated with an installer, click **Edit**. The installation files specified in this step will be required when the Package Accelerator is used to create a new virtual application package. After you have confirmed the information displayed, click **Next**. +8. Confirm that the **Verify Applications** page displays all installation files required to build the package. The package accelerator requires all installation files displayed in the **Applications** pane in order to create the package. -9. On the **Select Guidance** page, to specify a file that contains information about how the Package Accelerator, click **Browse**. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for the Package Accelerator to be successfully applied. The file you select must be in rich text (.rtf) or text file (.txt) format. Click **Next**. + If you need to add additional Installer files, select **Add**. To remove unnecessary installation files, select the **Installer file**, then select **Delete**. To edit the properties associated with an installer, select **Edit**. The package accelerator requires the installation files specified in this step to create a new virtual application package. After you have confirmed the information displayed, select **Next**. -10. On the **Create Package Accelerator** page, to specify where to save the Package Accelerator, click **Browse** and select the directory. +9. On the **Select Guidance** page, select **Browse** to specify the file that will provide the package accelerator with application instructions. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for successful package accelerator application. The file you select must be in rich text (.rtf) or text file (.txt) format. After specifying the file, select **Next**. -11. On the **Completion** page, to close the **Create Package Accelerator** wizard, click **Close**. +10. On the **Create Package Accelerator** page, select **Browse** and select the directory where you want to save the package accelerator. - **Important**
    - To help ensure that the package accelerator is as secure as possible, and so that the publisher can be verified when the package accelerator is applied, you should always digitally sign the package accelerator. +11. On the **Completion** page, select **Close**. + + >[!IMPORTANT] + >You should always digitally sign the package accelerator to ensure that it is secure and can be verified by a publisher during application. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) - -[How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md) +- [Operations for App-V](appv-operations.md) +- [How to create a virtual application package using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md) diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index d816a91315..2742b4002f 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -1,79 +1,76 @@ --- -title: How to Create a Virtual Application Package Using an App-V Package Accelerator (Windows 10) -description: How to Create a Virtual Application Package Using an App-V Package Accelerator +title: How to create a virtual application package using an App-V Package Accelerator (Windows 10) +description: How to create a virtual application package using an App-V Package Accelerator. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/10/2018 --- +# How to create a virtual application package using an App-V Package Accelerator - -# How to Create a Virtual Application Package Using an App-V Package Accelerator - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 Use the following procedure to create a virtual application package with the App-V Package Accelerator. -> **Important**  The App-V Sequencer does not grant any license rights to the software application that you use to create the Package Accelerator. You must abide by all end user license terms for the application that you use. It is your responsibility to make sure that the software application’s license terms allow you to create a Package Accelerator with the App-V Sequencer. +>[!IMPORTANT] +>The App-V Sequencer does not grant any license rights to the software application that you use to create the package accelerator. You must abide by all end user license terms for the application that you use. It is your responsibility to make sure that the software application’s license terms allow you to create a package accelerator with the App-V Sequencer. -**To create a virtual application package with an App-V Package Accelerator** +## Create a virtual application package with an App-V Package Accelerator -1. Be sure that the required Package Accelerator has been copied locally to the computer that runs the App-V Sequencer. Also copy all required installation files for the package to a local folder on the computer that runs the Sequencer. This is the folder that you have to specify in step 6 of this procedure. +1. Make sure you've copied the required package accelerator locally to the computer running the App-V Sequencer. Also make sure to copy all required installation files for the package to a local folder on the computer running the Sequencer. This is the folder that you have to specify in step 6 of this procedure. -2. To start the App-V Sequencer, on the computer that runs the App-V Sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. +2. To start the App-V Sequencer on the computer that runs the Sequencer, go to **Start** > **All Programs** > **Microsoft Application Virtualization** > **Microsoft Application Virtualization Sequencer**. -3. To start the **Create New Package Wizard**, click **Create a New Virtual Application Package**. To create the package, select the **Create Package using a Package Accelerator** check box, and then click **Next**. +3. Select **Create a New Virtual Application Package**. To create the package, select the **Create Package using a Package Accelerator** check box, then select **Next**. -4. To specify the package accelerator that will be used to create the new virtual application package, click **Browse** on the **Select Package Accelerator** page. Click **Next**. +4. To specify the package accelerator that will be used to create the new virtual application package, select **Browse** on the **Select Package Accelerator** page. Select **Next**. - > **Important**  If the publisher of the package accelerator cannot be verified and does not contain a valid digital signature, then before you click **Run**, you must confirm that you trust the source of the package accelerator. Confirm your choice in the **Security Warning** dialog box. + >[!IMPORTANT] + >If the publisher of the package accelerator cannot be verified and does not contain a valid digital signature, then before you select **Run**, you must confirm that you trust the source of the package accelerator. Confirm your choice in the **Security Warning** dialog box. -5. On the **Guidance** page, review the publishing guidance information that is displayed in the information pane. This information was added when the Package Accelerator was created and it contains guidance about how to create and publish the package. To export the guidance information to a text (.txt) file, click **Export** and specify the location where the file should be saved, and then click **Next**. +5. On the **Guidance** page, review the publishing guidance information that is displayed in the information pane. This information was added when the package accelerator was created and it contains guidance about how to create and publish the package. To export the guidance information to a text (.txt) file, select **Export** and specify the location where the file should be saved, and then select **Next**. -6. On the **Select Installation Files** page, click **Make New Folder** to create a local folder that contains all required installation files for the package, and specify where the folder should be saved. You must also specify a name to be assigned to the folder. You must then copy all required installation files to the location that you specified. If the folder that contains the installation files already exists on the computer that runs the Sequencer, click **Browse** to select the folder. +6. On the **Select Installation Files** page, select **Make New Folder** to create a local folder that contains all required installation files for the package, and specify where the folder should be saved. You must also specify a name to be assigned to the folder. You must then copy all required installation files to the location that you specified. If the folder that contains the installation files already exists on the computer that runs the Sequencer, select **Browse** to select the folder. - Alternatively, if you have already copied the installation files to a directory on this computer, click **Make New Folder**, browse to the folder that contains the installation files, and then click **Next**. + Alternatively, if you have already copied the installation files to a directory on this computer, select **Make New Folder**, browse to the folder that contains the installation files, then select **Next**. - > **Note**  You can specify the following types of supported installation files: - > - Windows Installer files (**.msi**) - > - Cabinet files (.cab) - > - Compressed files with a .zip file name extension - > - The actual application files + >[!NOTE] + >You can specify the following types of supported installation files: + > - Windows Installer files (**.msi**) + > - Cabinet files (.cab) + > - Compressed files with a .zip file name extension + > - The actual application files > The following file types are not supported: **.msp** and **.exe** files. If you specify an **.exe** file, you must extract the installation files manually. -7. If the package accelerator requires an application to be installed before you apply the Package Accelerator, and if you have already installed the required application, select **I have installed all applications**, and then click **Next** on the **Local Installation** page. +7. If the package accelerator requires you to install an application before you apply the package accelerator and you have already installed the required application, select **I have installed all applications**, then select **Next** on the **Local Installation** page. -8. On the **Package Name** page, specify a name that will be associated with the package. The name that you specify identifies the package in the App-V Management Console. Click **Next**. +8. On the **Package Name** page, specify a name that will be associated with the package. The name you choose will identify the package in the App-V Management Console. Select **Next**. -9. On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package that you are creating. To confirm the location where the package is created, review the information that is displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network, or when the package size exceeds 4 GB. +9. On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package that you are creating. To confirm the location where the package is created, review the information displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network or the package size exceeds 4 GB. -10. To create the package, click **Create**. After the package is created, click **Next**. +10. To create the package, select **Create**. After the package is created, select **Next**. -11. On the **Configure Software** page, to enable the Sequencer to configure the applications that are contained in the package, select **Configure Software**. In this step you can configure any associated tasks that must be completed in order to run the application on the target computers. For example, you can configure any associated license agreements. +11. On the **Configure Software** page, to enable the Sequencer to configure the applications contained within the package, select **Configure Software**. **Configure Software** will let you configure any associated tasks required to run the application on the target computers. For example, you can configure any associated license agreements. - If you select **Configure Software**, the following items can be configured using the Sequencer as part of this step: + The following items can be configured using the Sequencer as part of this step: - - **Load Package**. The Sequencer loads the files that are associated with the package. It can take several seconds to an hour to decode the package. + - **Load Package** loads files associated with the package. It can take several seconds to an hour to decode the package. + - **Run Each Program** optionally runs programs contained within the package. This step can help you complete associated license or configuration tasks that must be completed before deploying and running the package on target computers. To run all the programs at once, select at least one program, and then select **Run All**. To run specific programs, select the program or programs that you want to run, and then select **Run Selected**. Complete the required configuration tasks, then close the applications. It can take several minutes for all programs to run. Select **Next**. + - **Save Package** saves the package. + - **Primary Feature Block** optimizes the package for streaming by rebuilding the primary feature block. - - **Run Each Program**. Optionally run the programs that are contained in the package. This step is helpful to complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at once, select at least one program, and then click **Run All**. To run specific programs, select the program or programs that you want to run, and then click **Run Selected**. Complete the required configuration tasks, and then close the applications. It can take several minutes for all programs to run. Click **Next**. + If you don't want to configure the applications, select **Skip this step**, then select **Next**. - - **Save Package**. The Sequencer saves the package. +12. On the **Completion** page, after you review the information that is displayed in the **Virtual Application Package Report** pane, select **Close**. - - **Primary Feature Block**. The Sequencer optimizes the package for streaming by rebuilding the primary feature block. - - If you do not want to configure the applications, click **Skip this step**, and then click **Next**. - -12. On the **Completion** page, after you review the information that is displayed in the **Virtual Application Package Report** pane, click **Close**. - - The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about how to modify a package, see [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md). + The package is now available in the Sequencer. To edit the package properties, select **Edit \[Package Name\]**. For more information about how to modify a package, see [How to modify an existing virtual application package](appv-modify-an-existing-virtual-application-package.md). ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 383572f210..ee730d4a21 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -6,60 +6,54 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/10/2018 --- - # Create and apply an App-V project template to a sequenced App-V package -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 -You can use an App-V project template (.appvt) file to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages. App-V project templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V project templates can be applied to multiple applications. For more info about Package Accelerators, see the [How to create a Package Accelerator](appv-create-a-package-accelerator.md) topic. +You can use an App-V Project Template (.appvt) file to save commonly applied settings associated with an existing virtual application package. You can then apply these settings whenever you create new virtual application packages in your environment, streamlining the package creation process. App-V Project Templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V Project Templates can be applied to multiple applications. To learn more about package accelerators, see [How to create a package accelerator](appv-create-a-package-accelerator.md). >[!IMPORTANT] ->In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. - +>In Windows 10, version 1703, running the **New-AppvSequencerPackage** or the **Update-AppvSequencerPackage** cmdlets will automatically capture and store your customizations as an App-V Project Template. If you want to make changes to this package later, you can automatically load your customizations from this template file. If you have an auto-saved template and you attempt to load another template through the *TemplateFilePath* parameter, the customization value from the parameter will override the auto-saved template. ## Create a project template + You must first create and save a project template, including a virtual app package with settings to be used by the template. -**To create a project template** - -1. On the device running the App-V Sequencer, click **Start**, click **All Programs**, click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. +1. On the device running the App-V Sequencer, select **Start**, select **All Programs**, select **Microsoft Application Virtualization**, and then select **Microsoft Application Virtualization Sequencer**. >[!NOTE] >If the virtual app package is currently open in the App-V Sequencer console, skip to Step 3 of this procedure. -2. On the **File** menu, click **Open**, click **Edit Package**, browse for the virtual app package that includes the settings you want to save with the App-V project template, and then click **Edit** to change any of the settings or info included in the file. +2. On the **File** menu, select **Open**, select **Edit Package**, browse for the virtual app package that includes the settings you want to save with the App-V Project Template, and then select **Edit** to change any of the settings or info included in the file. -3. On the **File** menu, click **Save As Template**, review the settings associated with the new template, click **OK**, name your new template, and then click **Save**. +3. On the **File** menu, select **Save As Template**, review the settings associated with the new template, select **OK**, name your new template, and then select **Save**. - The new App-V project template is saved in the folder you specified. + The new App-V Project Template is saved in the folder you specified. ## Apply a project template + After creating the template, you can apply it to all of your new virtual app packages, automatically including all of the settings. >[!IMPORTANT] ->Virtual app packages don't support using both a project template and a Package Accelerator together. +>Virtual app packages don't support using both a project template and a package accelerator at the same time. -1. On the device running the App-V Sequencer, click **Start**, click **All Programs**, click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. +1. On the device running the App-V Sequencer, select **Start** > **All Programs** > **Microsoft Application Virtualization** > **Microsoft Application Virtualization Sequencer**. -2. On the **File** menu, click **New From Template**, browse to your newly created project template, and then click **Open**. +2. On the **File** menu, select **New From Template**, browse to your newly created project template and select **Open**. 3. Create your new virtual app package. The settings saved with your template are automatically applied. ### Related topics + - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - - [How to install the App-V Sequencer](appv-install-the-sequencer.md) - - [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) - - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) - - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) - - [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) -**Have a suggestion for App-V?**

    -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +## Have a suggestion for App-V? + +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 92958f3b25..e6c441feb7 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -1,6 +1,6 @@ --- -title: Creating and Managing App-V Virtualized Applications (Windows 10) -description: Creating and Managing App-V Virtualized Applications +title: Creating and managing App-V virtualized applications (Windows 10) +description: Creating and managing App-V virtualized applications author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -8,7 +8,7 @@ ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 --- -# Creating and Managing App-V Virtualized Applications +# Creating and managing App-V virtualized applications >Applies to: Windows 10, version 1607 diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index 9a7fd827bf..a364b60032 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -1,40 +1,37 @@ --- -title: How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console (Windows 10) -description: How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console +title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10) +description: How to customize virtual application extensions for a specific AD group by using the Management Console. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 07/10/2018 --- +# How to customize virtual applications extensions for a specific AD group by using the Management Console - -# How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 Use the following procedure to customize the virtual application extensions for an Active Directory (AD) group. -**To customize virtual applications extensions for an AD group** +## Customize virtual applications extensions for an AD group -1. To view the package that you want to configure, open the App-V Management Console. To view the configuration that is assigned to a given user group, select the package, and right-click the package name and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane. +1. To view the package that you want to configure, open the App-V Management Console. To view the configuration assigned to a given user group, select the package, then right-click the package name and select **Edit active directory access**. Alternatively, select the package and select **EDIT** in the **AD ACCESS** pane. -2. To customize an AD group, you can find the group from the list of **AD Entities with Access**. Then, using the drop-down box in the **Assigned Configuration** pane, select **Custom**, and then click **EDIT**. +2. To customize an AD group, you can find the group from the list of **AD Entities with Access**. Then, using the drop-down box in the **Assigned Configuration** pane, select **Custom**, and then select **EDIT**. -3. To disable all extensions for a given application, clear **ENABLE**. +3. To disable all extensions for a given application, clear **ENABLE**. - To add a new shortcut for the selected application, right-click the application in the **SHORTCUTS** pane, and select **Add new shortcut**. To remove a shortcut, right-click the application in the **SHORTCUTS** pane, and select **Remove Shortcut**. To edit an existing shortcut, right-click the application, and select **Edit Shortcut**. + To add a new shortcut for the selected application, right-click the application in the **SHORTCUTS** pane, and select **Add new shortcut**. To remove a shortcut, right-click the application in the **SHORTCUTS** pane and select **Remove Shortcut**. To edit an existing shortcut, right-click the application and select **Edit Shortcut**. -4. To view any other application extensions, click **Advanced**, and click **Export Configuration**. Type in a filename and click **Save**. You can view all application extensions that are associated with the package using the configuration file. +4. To view any other application extensions, select **Advanced**, and select **Export Configuration**. Enter a filename and select **Save**. You can view all application extensions that are associated with the package using the configuration file. -5. To edit additional application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog, click **Overwrite** to complete the process. +5. To edit additional application extensions, modify the configuration file and select **Import and Overwrite this Configuration**. Select the modified file and select **Open**. In the dialog, select **Overwrite** to complete the process. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 28f695046f..7665805a14 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -33,7 +33,7 @@ To use %AppData% folder redirection, you must: * Files under %appdata%\Microsoft\AppV\Client\Catalog * Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages -For more information, see [Application publishing and client interaction](appv-application-publishing-and-client-interaction.md#bkmk-clt-inter-roam-reqs). +For more information, see [Application publishing and client interaction](appv-application-publishing-and-client-interaction.md#roaming-requirements-and-user-catalog-data-storage). ## Unsupported scenarios for App-V folder redirection diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index afe9597029..32ae6b094c 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -200,7 +200,7 @@ To retrieve report information and create reports using App-V you must use one o To run the Microsoft SQL Server Scheduled Stored procedure, the Microsoft SQL Server Agent must be running. Make sure the Microsoft SQL Server Agent is set to **AutoStart**. For more information, see [Autostart SQL Server Agent (SQL Server Management Studio)](https://docs.microsoft.com/en-us/sql/ssms/agent/autostart-sql-server-agent-sql-server-management-studio). - The stored procedure is also created when when you use the App-V database scripts. + The stored procedure is also created when you use the App-V database scripts. You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server can manage without affecting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**. diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index 54b1306b2e..e2244bcd6a 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -15,7 +15,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10, version 1607 -This topic provides information about about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. +This topic provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. ## Obtain the client management console diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 08850b0417..f29b02af29 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -7,8 +7,8 @@ ms.sitesec: library ms.pagetype: mobile ms.author: elizapo author: lizap -ms.localizationpriority: low -ms.date: 01/24/2018 +ms.localizationpriority: medium +ms.date: 07/10/2018 --- # Understand the different apps included in Windows 10 @@ -23,7 +23,7 @@ Digging into the Windows apps, there are two categories: - Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in. - Installed: Installed as part of the OS. -The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI. +The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI. Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. @@ -32,115 +32,146 @@ Some of the apps show up in multiple tables - that's because their status change > ```powershell > Get-AppxPackage |Select Name,PackageFamilyName > Get-AppxProvisionedPackage -Online | select DisplayName,PackageName -> ``` - +> ``` ## System apps -System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1607, 1703, and 1709. -| Name | Full name | 1607 | 1703 | 1709 |Uninstall through UI? | -|------------------|-------------------------------------------|------|------|------|-------------------------------------------------------| -| Cortana UI | CortanaListenUIApp | | x | | No | -| | Desktop Learning | | x | | No | -| | DesktopView | | x | | No | -| | EnvironmentsApp | | x | | No | -| Mixed Reality + | HoloCamera | | x | | No | -| Mixed Reality + | HoloItemPlayerApp | | x | | No | -| Mixed Reality + | HoloShell | | x | | No | -| | InputApp | | | x | No | -| | Microsoft.AAD.Broker.Plugin | x | x | x | No | -| | Microsoft.AccountsControl | x | x | x | No | -| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | -| | Microsoft.CredDialogHost | | x | x | No | -| | Microsoft.ECApp | | | x | No | -| | Microsoft.LockApp | x | x | x | No | -| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x | No | -| | Microsoft.PPIProjection | x | x | x | No | -| | Microsoft.Windows. Apprep.ChxApp | x | x | x | No | -| | Microsoft.Windows. AssignedAccessLockApp | x | x | x | No | -| | Microsoft.Windows. CloudExperienceHost | x | x | x | No | -| | Microsoft.Windows. ContentDeliveryManager | x | x | x | No | -| Cortana | Microsoft.Windows.Cortana | x | x | x | No | -| | Microsoft.Windows. Holographic.FirstRun | | x | x | No | -| | Microsoft.Windows. ModalSharePickerHost | | x | | No | -| | Microsoft.Windows. OOBENetworkCaptivePort | | x | x | No | -| | Microsoft.Windows. OOBENetworkConnectionFlow | | x | x | No | -| | Microsoft.Windows. ParentalControls | x | x | x | No | -| People Hub | Microsoft.Windows. PeopleExperienceHost | | | x | No | -| | Microsoft.Windows. PinningConfirmationDialog | | | x | No | -| | Microsoft.Windows. SecHealthUI | | x | x | No | -| | Microsoft.Windows. SecondaryTileExperience | x | x | x | No | -| | Microsoft.Windows. SecureAssessmentBrowser | | x | x | No | -| Start | Microsoft.Windows. ShellExperienceHost | x | x | x | No | -| Windows Feedback | Microsoft.WindowsFeedback | * | * | * | No | -| | Microsoft.XboxGameCallableUI | x | x | x | No | -| Contact Support* | Windows.ContactSupport | x | x | * | Through the Optional Features app | -| Settings | Windows.ImmersiveControlPanel | x | x | x | No | -| Connect | Windows.MiracastView | x | x | | No | -| Print 3D | Windows.Print3D | | | x | Yes | -| Print UI | Windows.PrintDialog | x | x | x | No | +System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803. -> [!NOTE] -> - The Windows Feedback app changed to the Feedback Hub in version 1607. It's listed in the provisioned apps table below. +| Name | Full name |1703 | 1709 | 1803 |Uninstall through UI? | +|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------| +| Cortana UI | CortanaListenUIApp | x | | |No | +| | Desktop Learning | x | | |No | +| | DesktopView | x | | |No | +| | EnvironmentsApp | x | | |No | +| Mixed Reality + | HoloCamera | x | | |No | +| Mixed Reality + | HoloItemPlayerApp | x | | |No | +| Mixed Reality + | HoloShell | x | | |No | +| | InputApp | | x | x |No | +| | Microsoft.AAD.Broker.Plugin | x | x | x |No | +| | Microsoft.AccountsControl | x | x | x |No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No | +| | Microsoft.CredDialogHost | x | x | x |No | +| | Microsoft.ECApp | | x | x |No | +| | Microsoft.LockApp | x | x | x |No | +| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x |No | +| | Microsoft.PPIProjection | x | x | x |No | +| | Microsoft.Windows. Apprep.ChxApp | x | x | x |No | +| | Microsoft.Windows. AssignedAccessLockApp | x | x | x |No | +| | Microsoft.Windows. CloudExperienceHost | x | x | x |No | +| | Microsoft.Windows. ContentDeliveryManager | x | x | x |No | +| Cortana | Microsoft.Windows.Cortana | x | x | x |No | +| | Microsoft.Windows. Holographic.FirstRun | x | x | x |No | +| | Microsoft.Windows. ModalSharePickerHost | x | | |No | +| | Microsoft.Windows. OOBENetworkCaptivePort | x | x | x |No | +| | Microsoft.Windows. OOBENetworkConnectionFlow | x | x | x |No | +| | Microsoft.Windows. ParentalControls | x | x | x |No | +| People Hub | Microsoft.Windows. PeopleExperienceHost | | x | x |No | +| | Microsoft.Windows. PinningConfirmationDialog | | x | x |No | +| | Microsoft.Windows. SecHealthUI | x | x | x |No | +| | Microsoft.Windows. SecondaryTileExperience | x | x | |No | +| | Microsoft.Windows. SecureAssessmentBrowser | x | x | x |No | +| Start | Microsoft.Windows. ShellExperienceHost | x | x | x |No | +| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No | +| | Microsoft.XboxGameCallableUI | x | x | x |No | +| Contact Support* | Windows.ContactSupport | x | * | |Through the Optional Features app | +| Settings | Windows.ImmersiveControlPanel | x | x | |No | +| Connect | Windows.MiracastView | x | | |No | +| Print 3D | Windows.Print3D | | x | |Yes | +| Print UI | Windows.PrintDialog | x | x | x |No | +| Purchase UI | Windows.PurchaseDialog | | | x |No | +| | Microsoft.AsyncTextService | | | x |No | +| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No | +| | Microsoft.Win32WebViewHost | | | x |No | +| | Microsoft.Windows.CapturePicker | | | x |No | +| | Windows.CBSPreview | | | x |No | +|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No | +|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No | +|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No | +|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No | + +> [!NOTE] > - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). -> - As of Windows 10 version 1607, you can use the Optional Features app to uninstall the Contact Support app. ## Installed Windows apps -Here are the typical installed Windows apps in Windows 10 versions 1607, 1703, and 1709. - -| Name | Full name | 1607 | 1703 | 1709 |Uninstall through UI? | -|--------------------|-----------------------------------------|------|------|------|----------------------| -| Remote Desktop | Microsoft.RemoteDesktop | x | x | x | Yes | -| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | x | | Yes | -| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | -| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes | -| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes | -| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | -| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | | x | x | Yes | -| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | -| Paid Wi-FI | | | x | | Yes | +Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. +| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | +|--------------------|------------------------------------------|:----:|:----:|:----:|----------------------| +| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | +| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | +| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | +| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes | +| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes | +| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | +| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes | +| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | +| News | Microsoft.BingNews | x | x | x | Yes | +| Flipboard | | | | | Yes | +| | Microsoft.Advertising.Xaml | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.3 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.6 | | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.7 | | | x | Yes | +| | Microsoft.NET.Native.Framework.2.0 | | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.1 | | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.3 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.4 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.6 | | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.7 | | | x | Yes | +| | Microsoft.NET.Native.Runtime.2.0 | | x | x | Yes | +| | Microsoft.Services.Store.Engagement | | x | x | Yes | +| | Microsoft.VCLibs.120.00 | x | x | x | Yes | +| | Microsoft.VCLibs.140.00 | x | x | x | Yes | +| | Microsoft.VCLibs.120.00.Universal | | x | | Yes | +| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes | +| | Microsoft.WinJS.2.0 | x | | | Yes | ## Provisioned Windows apps -Here are the typical provisioned Windows apps in Windows 10 versions 1607, 1703, and 1709. -| Name | Full name | 1607 | 1703 | 1709 | Uninstall through UI? | -|---------------------------------|----------------------------------------|------|------|------|---------------------| -| 3D Builder | Microsoft.3DBuilder | | x | | Yes | -| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No | -| App Installer | Microsoft.DesktopAppInstaller | x | x | x | No | -| Calculator | Microsoft.WindowsCalculator | x | x | x | No | -| Camera | Microsoft.WindowsCamera | x | x | x | No | -| Feedback Hub | Microsoft.WindowsFeedbackHub | x | x | x | Yes | -| Get Help | Microsoft.GetHelp | | | x | No | -| Get Office/My Office | Microsoft.Microsoft OfficeHub | x | x | x | Yes | -| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes | -| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes | -| Groove | Microsoft.ZuneMusic | x | x | x | No | -| Mail and Calendar | microsoft.windowscommunicationsapps | x | x | x | No | -| Maps | Microsoft.WindowsMaps | x | x | x | No | -| Messaging | Microsoft.Messaging | x | x | x | No | -| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | | x | x | No | -| Movies & TV | Microsoft.ZuneVideo | x | x | x | No | -| News | Microsoft.BingNews | x | x | x | Yes | -| OneNote | Microsoft.Office.OneNote | x | x | x | Yes | -| Paint 3D | Microsoft.MSPaint | | x | x | No | -| People | Microsoft.People | x | x | x | No | -| Photos | Microsoft.Windows.Photos | x | x | x | No | -| Print 3D | Microsoft.Print3D | | | x | No | -| Solitaire | Microsoft.MicrosoftSolitaireCollection | x | x | x | Yes | -| Sticky Notes | Microsoft.MicrosoftStickyNotes | x | x | x | No | -| Store | Microsoft.WindowsStore | x | x | x | No | -| Sway | Microsoft.Office.Sway | * | * | x | Yes | -| Voice Recorder                 | Microsoft.WindowsSoundRecorder        | x   | x   | x   | No                       | -| Wallet | Microsoft.Wallet | | x | x | No | -| Weather | Microsoft.BingWeather | x | x | x | Yes | -| Xbox | Microsoft.XboxApp | x | x | x | No | -| | Microsoft.OneConnect | x | x | x | No | -| | Microsoft.StorePurchaseApp | x | x | x | No | -| | Microsoft.Xbox.TCUI | | | x | No | -| | Microsoft.XboxGameOverlay | | x | x | No | -| | Microsoft.XboxIdentityProvider | x | x | * | No | -| | Microsoft.XboxSpeech ToTextOverlay | | x | x | No | +Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803. -\* moved from "provisioned" to "installed" in this version. +| Name | Full name | 1703 | 1709 | 1803 | Uninstall through UI? | +|---------------------------------|----------------------------------------|:------:|:------:|:------:|---------------------------| +| 3D Builder | Microsoft.3DBuilder | x | | | Yes | +| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No | +| App Installer | Microsoft.DesktopAppInstaller | x | x | x | Via Settings App | +| Calculator | Microsoft.WindowsCalculator | x | x | x | No | +| Camera | Microsoft.WindowsCamera | x | x | x | No | +| Feedback Hub | Microsoft.WindowsFeedbackHub | x | x | x | Yes | +| Get Help | Microsoft.GetHelp | | x | x | No | +| Get Office/My Office | Microsoft.Microsoft OfficeHub | x | x | x | Yes | +| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes | +| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes | +| Groove | Microsoft.ZuneMusic | x | x | x | No | +| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No | +| Maps | Microsoft.WindowsMaps | x | x | x | No | +| Messaging | Microsoft.Messaging | x | x | x | No | +| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | x | x | x | No | +| Movies & TV | Microsoft.ZuneVideo | x | x | x | No | +| OneNote | Microsoft.Office.OneNote | x | x | x | Yes | +| Paid Wi-FI | Microsoft.OneConnect | x | x | x | Yes | +| Paint 3D | Microsoft.MSPaint | x | x | x | No | +| People | Microsoft.People | x | x | x | No | +| Photos | Microsoft.Windows.Photos | x | x | x | No | +| Print 3D | Microsoft.Print3D | | x | x | No | +| Solitaire | Microsoft.Microsoft SolitaireCollection| x | x | x | Yes | +| Sticky Notes | Microsoft.MicrosoftStickyNotes | x | x | x | No | +| Store | Microsoft.WindowsStore | x | x | x | No | +| Sway | Microsoft.Office.Sway | * | x | x | Yes | +| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No | +| Wallet | Microsoft.Wallet | x | x | x | No | +| Weather | Microsoft.BingWeather | x | x | x | Yes | +| Xbox | Microsoft.XboxApp | x | x | x | No | +| | Microsoft.OneConnect | x | x | x | No | +| | Microsoft.DesktopAppInstaller | | | x | No | +| | Microsoft.StorePurchaseApp | x | x | x | No | +| | Microsoft.WebMediaExtensions | | | x | No | +| | Microsoft.Xbox.TCUI | | x | x | No | +| | Microsoft.XboxGameOverlay | x | x | x | No | +| | Microsoft.XboxGamingOverlay | | | x | No | +| | Microsoft.XboxIdentityProvider | x | x | x | No | +| | Microsoft.XboxSpeech ToTextOverlay | x | x | x | No | + +>[!NOTE] +>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. \ No newline at end of file diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index ed841489c6..580efc16c4 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -8,6 +8,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jdeckerms +ms.author: jdecker +ms.topic: article ms.date: 10/24/2017 --- @@ -15,6 +17,10 @@ ms.date: 10/24/2017 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## RELEASE: Windows 10, version 1803 + +The topics in this library have been updated for Windows 10, version 1803. + ## October 2017 New or changed topic | Description diff --git a/windows/application-management/index.md b/windows/application-management/index.md index 23490f9d99..31196fe532 100644 --- a/windows/application-management/index.md +++ b/windows/application-management/index.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.localizationpriority: medium +ms.localizationpriority: high ms.date: 09/26/2017 --- diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 4d6181abe1..f6af0d88a5 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -8,7 +8,8 @@ ms.sitesec: library ms.localizationpriority: medium author: jdeckerms ms.author: jdecker -ms.date: 11/09/2017 +ms.topic: article +ms.date: 05/16/2018 --- # Enable or block Windows Mixed Reality apps in the enterprise @@ -17,27 +18,39 @@ ms.date: 11/09/2017 - Windows 10 -Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block). + +[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows 10 Feature on Demand (FOD)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update. + +Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block). ## Enable Windows Mixed Reality in WSUS -To enable users to download the Windows Mixed Reality software for devices running Windows 10, version 1703, enterprises using WSUS can approve Windows Mixed Reality package by unblocking **KB4016509: FeatureOnDemandOasis - Windows 10 version 1703 for x64-based Systems**. - -Enterprises devices running Windows 10, version 1709, will not be able to install Windows Mixed Reality Feature on Demand (FOD) directly from WSUS. Instead, use one of the following options to install Windows Mixed Reality software: +1. [Check your version of Windows 10.](https://support.microsoft.com/help/13443/windows-which-operating-system) -- Manually install the Mixed Reality software - - - [Download the Microsoft Windows Holographic Desktop Feature on Demand package.](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab) - - - Open a command prompt as administrator and run the following command to install the package: - - `dism /online /add-package /packagepath:"path to the cab file"` - - - Go to **Settings** > **Update & Security** > **Windows Update** and **Check for updates**. - -- IT admin can create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) + >[!NOTE] + >You must be on at least Windows 10, version 1709, to run Windows Mixed Reality. + +2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. + + a. Download [the FOD .cab file for Windows 10, version 1803](http://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) or [the FOD .cab file for Windows 10, version 1709] + (http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + + >[!NOTE] + >You must download the FOD .cab file that matches your operating system version. + + b. Use `Add-Package` to add Windows Mixed Reality FOD to the image. + + ``` + Add-Package + Dism /Online /add-package /packagepath:(path) + ``` + + c. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**. + + +IT admins can also create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) to allow access to the Windows Mixed Reality FOD. diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md new file mode 100644 index 0000000000..cd0dce59af --- /dev/null +++ b/windows/application-management/msix-app-packaging-tool.md @@ -0,0 +1,71 @@ +--- +title: Repackage your existing win32 applications to the MSIX format. +description: Learn how to install and use the MSIX packaging tool. +keywords: ["MSIX", "application", "app", "win32", "packaging tool"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +ms.author: mikeblodge +ms.topic: article +ms.date: 08/01/2018 +--- + +# Repackage existing win32 applications to the MSIX format + +The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). + +> Prerequisites: + +- Participation in the Windows Insider Program +- Minimum Windows 10 build 17701 +- Admin privileges on your PC account +- A valid MSA alias (to access the app from the Store) + +## What's new +v1.2018.808.0 +- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. +- Fixed an issue where signing in with password protected certificates would fail in the tool. +- Fixed an issue where the tool was crashing when editing an existing MSIX package. +- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures. +- Minor UI tweaks to add clarity. +- Minor updates to the logs for added clarity. + + + +## Installing the MSIX Packaging Tool + +1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF). +2. Open the product description page. +3. Click the install icon to begin installation. + +This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview: + +- Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. +- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon. +- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. + +Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features: + +- Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0). +- Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM. +- Command Line Interface support +- Conversion of App-V 4.x packages + +## How to file feedback + +Open Feedback Hub. Alternatively, launch the tool and select the **Settings** gear icon in the top right corner to open the Feedback tab. Here you can file feedback for suggestions, problems, and see other feedback items. + +## Best practices + +- When Packaging ClickOnce installers, it is necessary to send a shortcut to the desktop if the installer is not doing so already. In general, it's a good practice to always send a shortcut to your desktop for the main app executable. +- When creating modification packages, you need to declare the **Package Name** (Identity Name) of the parent application in the tool UI so that the tool sets the correct package dependency in the manifest of the modification package. +- Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer. +- Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. + +## Known issues +1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. +2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. +3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. + + diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 7e6bf874fa..1391890a98 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -29,18 +29,25 @@ For more information about disabling system services for Windows Server, see [Gu ## Per-user services -Windows 10 and Windows Server (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. +The following table lists per-user services and when they were added to Windows 10 and Windows Server with the Desktop Experience. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Before you disable any of these services, review the **Description** column in this table to understand the implications, including dependent apps that will no longer work correctly. -| Key name | Display name | Default start type | Dependencies | Description | -|------------------------|-----------------------------------------|--------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| CDPUserSvc | CDPUserSvc | Auto | | Used for Connected Devices Platform scenarios | -| OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service is not running. | -| PimIndexMaintenanceSvc | Contact Data | Manual | UnistoreSvc | Indexes contact data for fast contact searching. If you stop or disable this service, search results might not display all contacts. | -| UnistoreSvc | User Data Storage | Manual | | Handles storage of structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | -| UserDataSvc | User Data Access | Manual | UnistoreSvc | Provides apps access to structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | -| WpnUserService | Windows Push Notifications User Service | Manual | | Hosts Windows notification platform, which provides support for local and push notifications. Supported notifications are tile, toast, and raw. | +| Windows version | Key name | Display name | Default start type | Dependencies | Description | +|-----------------|------------------------|-----------------------------------------|--------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 1803 | BcastDVRUserService | GameDVR and Broadcast User Service | Manual | | Used for Game Recordings and Live Broadcasts | +| 1803 | BluetoothUserService | Bluetooth User Support Service | Manual | | Supports proper functionality of Bluetooth features relevant to each user session | +| 1803 | CaptureService | CaptureService | Manual | | OneCore Capture Service | +| 1607 | CDPUserSvc | CDPUserSvc | Auto | - Network Connection Broker
    - Remote Procedure Call (RPC)
    - TCP/IP Protocol Driver | Used for Connected Devices Platform scenarios | +| 1803 | DevicePickerUserSvc | DevicePicker | Manual | | Device Picker | +| 1703 | DevicesFlowUserSvc | DevicesFlow | Manual | | Device Discovery and Connecting | +| 1703 | MessagingService | MessagingService | Manual | | Service supporting text messaging and related functionality | +| 1607 | OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service is not running. | +| 1607 | PimIndexMaintenanceSvc | Contact Data | Manual | UnistoreSvc | Indexes contact data for fast contact searching. If you stop or disable this service, search results might not display all contacts. | +| 1709 | PrintWorkflowUserSvc | PrintWorkflow | Manual | | Print Workflow | +| 1607 | UnistoreSvc | User Data Storage | Manual | | Handles storage of structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | +| 1607 | UserDataSvc | User Data Access | Manual | UnistoreSvc | Provides apps access to structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | +| 1607 | WpnUserService | Windows Push Notifications User Service | Manual | | Hosts Windows notification platform, which provides support for local and push notifications. Supported notifications are tile, toast, and raw. | ## Disable per-user services diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md new file mode 100644 index 0000000000..489c97927a --- /dev/null +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -0,0 +1,160 @@ +--- +title: How to keep apps removed from Windows 10 from returning during an update +description: How to keep provisioned apps that were removed from your machine from returning during an update. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.author: helohr +author: HeidiLohr +ms.date: 05/25/2018 +--- +# How to keep apps removed from Windows 10 from returning during an update + +>Applies to: Windows 10 (Semi-Annual Channel) + +When you update a computer running Windows 10, version 1703 or 1709, you might see provisioned apps that you previously removed return post-update. This can happen if the computer was offline when you removed the apps. This issue was fixed in Windows 10, version 1803. + +>[!NOTE] +>* This issue only occurs after a feature update (from one version to the next), not monthly updates or security-related updates. +>* This only applies to first-party apps that shipped with Windows 10. This doesn't apply to third-party apps, Microsoft Store apps, or LOB apps. + +To remove a provisioned app, you need to remove the provisioning package. The apps might reappear if you removed the packages in one of the following ways: + +* If you removed the packages while the wim file was mounted when the device was offline. +* If you removed the packages by running a PowerShell cmdlet on the device while Windows was online. Although the apps won't appear for new users, you'll still see the apps for the user account you signed in as. + +When you remove a provisioned app, we create a registry key that tells Windows not to reinstall or update that app the next time Windows is updated. If the computer isn't online when you deprovision the app, then we don't create that registry key. (This behavior is fixed in Windows 10, version 1803. If you're running Windows 10, version 1709, apply the latest security update to fix it.) + +>[!NOTE] +>If you remove a provisioned app while Windows is online, it's only removed for *new users*—the user that you signed in as will still have that provisioned app. That's because the registry key created when you deprovision the app only applies to new users created *after* the key is created. This doesn't happen if you remove the provisioned app while Windows is offline. + +To prevent these apps from reappearing at the next update, manually create a registry key for each app, then update the computer. + +## Create registry keys for deprovisioned apps + +Use the following steps to create a registry key: + +1. Identify any provisioned apps you want removed. Record the package name for each app. +2. Create a .reg file to generate a registry key for each app. Use [this list of Windows 10, version 1709 registry keys](#registry-keys-for-provisioned-apps) as your starting point. + 1. Paste the list of registry keys into Notepad (or a text editor). + 2. Remove the registry keys belonging to the apps you want to keep. For example, if you want to keep the Bing Weather app, delete this registry key: + ``` + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\A ppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe] + ``` + 3. Save the file with a .txt extension, then right-click the file and change the extension to .reg. +3. Double-click the .reg file to create the registry keys. You can see the new keys in HKLM\\path-to-reg-keys. + +You're now ready to update your computer. After the update, check the list of apps in the computer to confirm the removed apps are still gone. + +## Package names for apps provisioned in Windows 10, version 1709 + +|Displayed app name|Package name| +|---|---| +|Microsoft.3DBuilder|Microsoft.3DBuilder_15.2.10821.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.BingWeather|Microsoft.BingWeather_4.23.10923.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.DesktopAppInstaller|Microsoft.DesktopAppInstaller_1.10.16004.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.GetHelp|Microsoft.GetHelp_10.1706.1811.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.Getstarted|Microsoft.Getstarted_5.12.2691.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.HEVCVideoExtension|Microsoft.HEVCVideoExtension_1.0.2512.0_x64__8wekyb3d8bbwe| +|Microsoft.Messaging|Microsoft.Messaging_2018.124.707.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.Microsoft3DViewer|Microsoft.Microsoft3DViewer_3.1803.29012.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.MicrosoftOfficeHub|Microsoft.MicrosoftOfficeHub_2017.715.118.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.MicrosoftSolitaireCollection|Microsoft.MicrosoftSolitaireCollection_3.18.12091.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.MicrosoftStickyNotes|Microsoft.MicrosoftStickyNotes_2.1.18.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.MSPaint|Microsoft.MSPaint_4.1803.21027.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.Office.OneNote|Microsoft.Office.OneNote_2015.9126.21251.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.OneConnect|Microsoft.OneConnect_3.1708.2224.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.People|Microsoft.People_2017.1006.1846.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.Print3D|Microsoft.Print3D_1.0.2422.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.SkypeApp|Microsoft.SkypeApp_12.1811.248.1000_neutral_~_kzf8qxf38zg5c| +|Microsoft.StorePurchaseApp|Microsoft.StorePurchaseApp_11802.1802.23014.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.Wallet|Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.Windows.Photos|Microsoft.Windows.Photos_2018.18022.15810.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.WindowsAlarms|Microsoft.WindowsAlarms_2017.920.157.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.WindowsCalculator|Microsoft.WindowsCalculator_2017.928.0.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.WindowsCamera|Microsoft.WindowsCamera_2017.1117.10.1000_neutral_~_8wekyb3d8bbwe| +|microsoft.windowscommunicationsapps|microsoft.windowscommunicationsapps_2015.9126.21425.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.WindowsFeedbackHub|Microsoft.WindowsFeedbackHub_2018.323.50.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.WindowsMaps|Microsoft.WindowsMaps_2017.1003.1829.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.WindowsSoundRecorder|Microsoft.WindowsSoundRecorder_2017.928.5.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.WindowsStore|Microsoft.WindowsStore_11803.1001.613.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.Xbox.TCUI|Microsoft.Xbox.TCUI_1.8.24001.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.XboxApp|Microsoft.XboxApp_39.39.21002.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.XboxGameOverlay|Microsoft.XboxGameOverlay_1.24.5001.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.XboxIdentityProvider|Microsoft.XboxIdentityProvider_2017.605.1240.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.XboxSpeechToTextOverlay|Microsoft.XboxSpeechToTextOverlay_1.21.13002.0_neutral_~_8wekyb3d8bbwe| +|Microsoft.ZuneMusic|Microsoft.ZuneMusic_2019.18011.13411.1000_neutral_~_8wekyb3d8bbwe| +|Microsoft.ZuneVideo|Microsoft.ZuneVideo_2019.17122.16211.1000_neutral_~_8wekyb3d8bbwe| + +## Registry keys for provisioned apps + +```syntax +Windows Registry Editor Version 5.00 +;1709 Registry Keys + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.GetHelp_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Getstarted_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.MSPaint_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Office.OneNote_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.OneConnect_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.People_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Print3D_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.SkypeApp_kzf8qxf38zg5c] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.StorePurchaseApp_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Wallet_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Windows.Photos_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.WindowsAlarms_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.WindowsCalculator_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.WindowsCamera_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\microsoft.windowscommunicationsapps_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.WindowsMaps_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.WindowsStore_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Xbox.TCUI_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.XboxApp_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.XboxGameOverlay_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneMusic_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneVideo_8wekyb3d8bbwe] +``` diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index ffe541cc15..a01dc76b8c 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -6,6 +6,7 @@ ## [New policies for Windows 10](new-policies-for-windows-10.md) ## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) ## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) +## [What version of Windows am I running](windows-version-search.md) ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index 29875e0d23..f5b708473d 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jdeckerMS ms.author: jdecker ms.date: 09/12/2017 diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index d25e2670b7..920c37386e 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -9,7 +9,7 @@ ms.pagetype: devices author: jdeckerms ms.localizationpriority: medium ms.author: jdecker -ms.date: 11/28/2017 +ms.date: 08/02/2018 --- # Connect to remote Azure Active Directory-joined PC @@ -19,7 +19,7 @@ ms.date: 11/28/2017 - Windows 10 -From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). +From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). ![Remote Desktop Connection client](images/rdp.png) @@ -45,6 +45,9 @@ From its release, Windows 10 has supported remote connections to PCs that are jo 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. + >[!TIP] + >When you connect to the remote PC, enter your account name in this format: `AzureADName\YourAccountName`. + ## Supported configurations diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md index 96a1b2df95..94d8c56785 100644 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: brianlic-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/13/2017 --- diff --git a/windows/client-management/images/WinVer.PNG b/windows/client-management/images/WinVer.PNG new file mode 100644 index 0000000000..3cb598ad04 Binary files /dev/null and b/windows/client-management/images/WinVer.PNG differ diff --git a/windows/client-management/images/msinfo32.png b/windows/client-management/images/msinfo32.png new file mode 100644 index 0000000000..9a8d125b7a Binary files /dev/null and b/windows/client-management/images/msinfo32.png differ diff --git a/windows/client-management/images/msinfosnip.jpg b/windows/client-management/images/msinfosnip.jpg new file mode 100644 index 0000000000..67c65eec3c Binary files /dev/null and b/windows/client-management/images/msinfosnip.jpg differ diff --git a/windows/client-management/images/refcmd.png b/windows/client-management/images/refcmd.png new file mode 100644 index 0000000000..5e08df408e Binary files /dev/null and b/windows/client-management/images/refcmd.png differ diff --git a/windows/client-management/images/slmgr_dlv.png b/windows/client-management/images/slmgr_dlv.png new file mode 100644 index 0000000000..096a2b1859 Binary files /dev/null and b/windows/client-management/images/slmgr_dlv.png differ diff --git a/windows/client-management/images/systemcollage.png b/windows/client-management/images/systemcollage.png new file mode 100644 index 0000000000..d1400e19f4 Binary files /dev/null and b/windows/client-management/images/systemcollage.png differ diff --git a/windows/client-management/images/systeminfo.png b/windows/client-management/images/systeminfo.png new file mode 100644 index 0000000000..4c70bed782 Binary files /dev/null and b/windows/client-management/images/systeminfo.png differ diff --git a/windows/client-management/images/systemproperties.png b/windows/client-management/images/systemproperties.png new file mode 100644 index 0000000000..e6e6d5677b Binary files /dev/null and b/windows/client-management/images/systemproperties.png differ diff --git a/windows/client-management/images/systemprops.jpg b/windows/client-management/images/systemprops.jpg new file mode 100644 index 0000000000..dfff3fb5d0 Binary files /dev/null and b/windows/client-management/images/systemprops.jpg differ diff --git a/windows/client-management/images/winsearchbar.jpg b/windows/client-management/images/winsearchbar.jpg new file mode 100644 index 0000000000..7f27bd8805 Binary files /dev/null and b/windows/client-management/images/winsearchbar.jpg differ diff --git a/windows/client-management/images/winversnip.jpg b/windows/client-management/images/winversnip.jpg new file mode 100644 index 0000000000..c2f2be1bb2 Binary files /dev/null and b/windows/client-management/images/winversnip.jpg differ diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md index da8fded458..0d3b6b861f 100644 --- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile author: jdeckerms -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 09/21/2017 --- diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index bda063d02b..66ebec76b8 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices author: jdeckerms -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 09/21/2017 --- diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index 57086835cb..b51971615e 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -25,7 +25,7 @@ The Group Policy can be configured in one of two ways: specify a list of pages t Here are some examples: -- To show only the the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. +- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. - To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index d3eaf1a5ca..86eb568add 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices -author: jdeckerms -ms.localizationpriority: high -ms.date: 12/04/2017 +author: MariciaAlforque +ms.localizationpriority: medium +ms.date: 04/26/2018 --- # Manage Windows 10 in your organization - transitioning to modern management @@ -21,10 +21,10 @@ Your organization can support various operating systems across a wide range of d This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. - +> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA] >[!NOTE] - >The video demonstrates the configuration process using the classic Azure portal, which will be retired January 08, 2018. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](https://docs.microsoft.com/information-protection/deploy-use/migrate-portal) + >The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](https://docs.microsoft.com/information-protection/deploy-use/migrate-portal) This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: @@ -94,17 +94,14 @@ As you review the roles in your organization, you can use the following generali Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.  -**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. This makes MDM the best choice for devices that are constantly on the go. +**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go. -**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings, or very specific Windows Firewall rules. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices: +**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices: - Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows. - Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. -You can use the following generalized decision tree to review the management choices for devices in your organization: - -![Decision tree for device configuration options](images/windows-10-management-gp-intune-flow.png) ## Updating and Servicing @@ -116,12 +113,24 @@ MDM with Intune provide tools for applying Windows updates to client computers i There are a variety of steps you can take to begin the process of modernizing device management in your organization: -- **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. +**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies. -- **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. +**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. -- **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. +**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -- **Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. +**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-gp) -- **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. As additional capabilities become available in the cloud-identity/MDM model, Microsoft is committed to providing a clear path from traditional to modern management. + +**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details: + +- [Co-management for Windows 10 devices](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview) +- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-prepare) +- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-switch-workloads) +- [Co-management dashboard in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-dashboard) + +## Related topics + +- [What is Intune?](https://docs.microsoft.com/en-us/intune/introduction-intune) +- [Windows 10 Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) +- [Windows 10 Configuration service Providers](https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 659b090224..21553dfee9 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -179,7 +179,6 @@ #### [Policy DDF file](policy-ddf-file.md) #### [ApplicationRestrictions XSD](applicationrestrictions-xsd.md) #### [AboveLock](policy-csp-abovelock.md) -#### [AccountPoliciesAccountLockoutPolicy](policy-csp-accountpoliciesaccountlockoutpolicy.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) @@ -190,6 +189,7 @@ #### [Authentication](policy-csp-authentication.md) #### [Autoplay](policy-csp-autoplay.md) #### [Bitlocker](policy-csp-bitlocker.md) +#### [BITS](policy-csp-bits.md) #### [Bluetooth](policy-csp-bluetooth.md) #### [Browser](policy-csp-browser.md) #### [Camera](policy-csp-camera.md) @@ -209,6 +209,7 @@ #### [DeviceInstallation](policy-csp-deviceinstallation.md) #### [DeviceLock](policy-csp-devicelock.md) #### [Display](policy-csp-display.md) +#### [DmaGuard](policy-csp-dmaguard.md) #### [Education](policy-csp-education.md) #### [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md) #### [ErrorReporting](policy-csp-errorreporting.md) @@ -250,6 +251,7 @@ #### [Storage](policy-csp-storage.md) #### [System](policy-csp-system.md) #### [SystemServices](policy-csp-systemservices.md) +#### [TaskManager](policy-csp-taskmanager.md) #### [TaskScheduler](policy-csp-taskscheduler.md) #### [TextInput](policy-csp-textinput.md) #### [TimeLanguageSettings](policy-csp-timelanguagesettings.md) @@ -313,6 +315,8 @@ #### [WiFi DDF file](wifi-ddf-file.md) ### [Win32AppInventory CSP](win32appinventory-csp.md) #### [Win32AppInventory DDF file](win32appinventory-ddf-file.md) +### [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) +#### [Win32CompatibilityAppraiser DDF file](win32compatibilityappraiser-ddf.md) ### [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) #### [WindowsAdvancedThreatProtection DDF file](windowsadvancedthreatprotection-ddf.md) ### [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) @@ -321,4 +325,5 @@ #### [WindowsLicensing DDF file](windowslicensing-ddf-file.md) ### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) #### [WindowsSecurityAuditing DDF file](windowssecurityauditing-ddf-file.md) - +### [WiredNetwork CSP](wirednetwork-csp.md) +#### [WiredNetwork DDF file](wirednetwork-ddf-file.md) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index f43068ab86..866c9e3470 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/23/2018 --- # AccountManagement CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803. diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md index eddb5ce0ba..4e6eb780a7 100644 --- a/windows/client-management/mdm/accountmanagement-ddf.md +++ b/windows/client-management/mdm/accountmanagement-ddf.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/23/2018 --- # AccountManagement DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider. diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 0cec8a8ad3..19820b0309 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -5,16 +5,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/17/2018 --- # Accounts CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group. This CSP was added in Windows 10, version 1803. +The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803. The following diagram shows the Accounts configuration service provider in tree format. diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index 311ed73e93..a6e5b3ded3 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/17/2018 --- # Accounts CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider. diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 80431db230..aed29f1f97 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 51c1385789..a1c9d4cb8d 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 281dc44c70..5065235319 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index c8e1153a75..8745e5a972 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index 2356c2dd90..c9da82f50a 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index a8eaca5a12..2f3b7f1d06 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/applicationrestrictions-xsd.md b/windows/client-management/mdm/applicationrestrictions-xsd.md index 54e3d3c6b5..1a54b6702f 100644 --- a/windows/client-management/mdm/applicationrestrictions-xsd.md +++ b/windows/client-management/mdm/applicationrestrictions-xsd.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index e424e88106..f1f1e0aaaa 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -6,8 +6,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/24/2018 +author: MariciaAlforque +ms.date: 04/30/2018 --- # AppLocker CSP @@ -159,17 +159,16 @@ Each of the previous nodes contains one or more of the following leaf nodes:

    Here is a sample certutil invocation:

    ``` -certutil -encode WinSiPolicy.p7b WinSiPolicy.txt +certutil -encode WinSiPolicy.p7b WinSiPolicy.cer ``` -

    Use only the data enclosed in the BEGIN CERTIFIFCATE and END CERTIFICATE section. Ensure that you have removed all line breaks before passing the data to the CSP node.

    An alternative to using certutil would be to use the following PowerShell invocation:

    ``` [Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) ``` -

    If you are using Hybrid MDM management with System Center Configuration Manager please ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.

    +

    If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.

    Data type is string. Supported operations are Get, Add, Delete, and Replace.

    diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index fe6e6c167c..b61780ae9e 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md index ecce16aabf..ea7901dc45 100644 --- a/windows/client-management/mdm/applocker-xsd.md +++ b/windows/client-management/mdm/applocker-xsd.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 1a3dce230a..62c91ca217 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- @@ -13,7 +13,7 @@ ms.date: 06/26/2017 ## Executive summary -

    Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premise group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premise counterparts.

    +

    Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

    MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

    @@ -79,7 +79,7 @@ ms.date: 06/26/2017 ## Scenarios addressed in App-V MDM functionality -

    All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premise App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.

    +

    All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.

    A complete list of App-V policies can be found here:

    diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md index dfe0baab52..1033a9f800 100644 --- a/windows/client-management/mdm/assign-seats.md +++ b/windows/client-management/mdm/assign-seats.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index fa60680334..c0be644dc5 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/25/2018 --- @@ -19,6 +19,9 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). +> [!Warning] +> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. + > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. @@ -35,8 +38,11 @@ A JSON string that contains the user account name and Application User Model ID For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) > [!Note] -> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709. +> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. > +> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. + +> [!Note] > You cannot set both KioskModeApp and ShellLauncher at the same time on the device. Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md). @@ -66,7 +72,9 @@ The supported operations are Add, Delete, Get and Replace. When there's no confi Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). > [!Note] -> You cannot set both KioskModeApp and Configuration at the same time on the device in Windows 10, version 1709. +> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. +> +> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. Enterprises can use this to easily configure and manage the curated lockdown experience. diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 4d6da38792..a76545fe53 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -6,16 +6,13 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 02/22/2018 --- # AssignedAccess DDF -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML. You can download the DDF files from the links below: diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 87f7c33162..e5d61253aa 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/05/2017 --- @@ -610,7 +610,7 @@ Authorization:Bearer Additional claims may be present in the Azure AD token, such as: - User - user currently logged in -- Device compliance - value set the the MDM service into Azure +- Device compliance - value set the MDM service into Azure - Device ID - identifies the device that is checking in - Tenant ID @@ -684,6 +684,8 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it. +> **Note**  This is only applicable for approved MDM apps on Windows 10 devices. + ``` syntax Sample Graph API Request: diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index f93d78ce36..c0a57334bc 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 01/17/2018 --- diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 556cb49468..622256b740 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 01/04/2018 +author: MariciaAlforque +ms.date: 07/16/2018 --- # BitLocker CSP @@ -420,7 +420,7 @@ The following diagram shows the BitLocker configuration service provider in tree

    If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.

    -

    If you set the the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

    +

    If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

    Sample value for this node to enable this policy is:

    @@ -844,6 +844,37 @@ The following diagram shows the BitLocker configuration service provider in tree ``` +**AllowStandardUserEncryption** +Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account. + +> [!Note] +> This policy is only supported in Azure AD accounts. + +"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced. + +If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. + +The expected values for this policy are: + +- 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. +- 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. + +If you want to disable this policy use the following SyncML: + +``` syntax + + 111 + + + ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption + + + int + + 0 + + +``` ### SyncML example The following example is provided to show proper format and should not be taken as a recommendation. diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 2e799e20dd..df0326e929 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -5,17 +5,20 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 12/05/2017 +author: MariciaAlforque +ms.date: 06/29/2018 --- # BitLocker DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is the current version Windows 10, next major version. ``` syntax @@ -41,7 +44,7 @@ The XML below is the current version for this CSP. - com.microsoft/1.0/MDM/BitLocker + com.microsoft/3.0/MDM/BitLocker @@ -63,7 +66,7 @@ The XML below is the current version for this CSP. Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on. If you want to disable this policy use the following SyncML: - $CmdID$ + 100 ./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption @@ -87,6 +90,10 @@ The XML below is the current version for this CSP. text/plain + + + + @@ -106,7 +113,7 @@ The XML below is the current version for this CSP. Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on. If you want to disable this policy use the following SyncML: - $CmdID$ + 101 ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption @@ -130,6 +137,10 @@ The XML below is the current version for this CSP. text/plain + + + + @@ -160,7 +171,7 @@ The XML below is the current version for this CSP. If you want to disable this policy use the following SyncML: - $CmdID$ + 102 ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType @@ -186,6 +197,9 @@ The XML below is the current version for this CSP. text/plain + VolumeEncryption.admx + VolumeEncryption~AT~WindowsComponents~FVECategory + EncryptionMethodWithXts_Name @@ -200,7 +214,7 @@ The XML below is the current version for this CSP. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. - On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. + On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both. If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM. Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. @@ -227,7 +241,7 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - $CmdID$ + 103 ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication @@ -253,6 +267,9 @@ The XML below is the current version for this CSP. text/plain + VolumeEncryption.admx + VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory + ConfigureAdvancedStartup_Name @@ -264,9 +281,10 @@ The XML below is the current version for this CSP. - This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits. + This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits. + NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. The format is string. Sample value for this node to enable this policy is: <enabled/><data id="MinPINLength" value="xx"/> @@ -274,7 +292,7 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - $CmdID$ + 104 ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength @@ -300,6 +318,9 @@ The XML below is the current version for this CSP. text/plain + VolumeEncryption.admx + VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory + MinimumPINLength_Name @@ -331,7 +352,7 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - $CmdID$ + 105 ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage @@ -357,6 +378,9 @@ The XML below is the current version for this CSP. text/plain + VolumeEncryption.admx + VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory + PrebootRecoveryInfo_Name @@ -397,7 +421,7 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - $CmdID$ + 106 ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions @@ -423,6 +447,9 @@ The XML below is the current version for this CSP. text/plain + VolumeEncryption.admx + VolumeEncryption~AT~WindowsComponents~FVECategory~FVEOSCategory + OSRecoveryUsage_Name @@ -463,7 +490,7 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - $CmdID$ + 107 ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions @@ -489,6 +516,9 @@ The XML below is the current version for this CSP. text/plain + VolumeEncryption.admx + VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory + FDVRecoveryUsage_Name @@ -510,7 +540,7 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - $CmdID$ + 108 ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption @@ -536,6 +566,9 @@ The XML below is the current version for this CSP. text/plain + VolumeEncryption.admx + VolumeEncryption~AT~WindowsComponents~FVECategory~FVEFDVCategory + FDVDenyWriteAccess_Name @@ -563,7 +596,7 @@ The XML below is the current version for this CSP. Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: - $CmdID$ + 109 ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption @@ -589,6 +622,116 @@ The XML below is the current version for this CSP. text/plain + VolumeEncryption.admx + VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory + RDVDenyWriteAccess_Name + + + + AllowWarningForOtherDiskEncryption + + + + + + + + Allows Admin to disable all UI (notification for encryption and warning prompt for other disk encryption) + and turn on encryption on the user machines silently. + Warning: When you enable BitLocker on a device with third party encryption, it may render the device unusable and will + require reinstallation of Windows. + Note: This policy takes effect only if "RequireDeviceEncryption" policy is set to 1. + The format is integer. + The expected values for this policy are: + + 1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed. + 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, + the value 0 only takes affect on Azure Active Directory joined devices. + Windows will attempt to silently enable BitLocker for value 0. + + If you want to disable this policy use the following SyncML: + + 110 + + + ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption + + + int + + 0 + + + + + + + + + + + + + + text/plain + + + + + + + + + AllowStandardUserEncryption + + + + + + + + Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user. + "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, Silent encryption is enforced. + If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user + is the current logged on user in the system. + + The expected values for this policy are: + + 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. + 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy + will not try to enable encryption on any drive. + + If you want to disable this policy use the following SyncML: + + 111 + + + ./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption + + + int + + 0 + + + + + + + + + + + + + + text/plain + + + + + diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index 91c374f17b..e59f02fc74 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index 5dc4046e6f..de3a4c2736 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index 1bf6f155f5..953ec2e528 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index ea6b39ee4f..fc0c578410 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- @@ -30,7 +30,7 @@ On the desktop, you can create an Active Directory account, such as "enrollment@ On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. -> **Note**   +>[!NOTE]   > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone enviroment. > - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console. @@ -47,7 +47,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain. -## Create and apply a provisioning package for on-premise authentication +## Create and apply a provisioning package for on-premises authentication Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 21a3bbbdc4..19669fb1b1 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index a7b94f6b27..6562fc73d0 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index b2241c0952..a857467f1a 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 21a4fb28c2..cde5940e24 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index ab234ad8a1..820779ea14 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 78bcc6d494..4ce39d12fb 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index af04d6e6d4..1c1c3ded0a 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 1183e5b3d6..bf01d38374 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 11/03/2017 --- diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 10617e23a2..977dd79898 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 22bb311265..adffb8bef0 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 08/02/2017 --- diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 59956b5db5..50b393f039 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 1eeee323ba..6b1ae02496 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index 75a6658d5e..46f6724edb 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 17d660ee81..8082e19a7b 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index dbd55b06f3..cd6b862e43 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -6,8 +6,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/24/2018 +author: MariciaAlforque +ms.date: 07/27/2018 --- # Configuration service provider reference @@ -30,6 +30,7 @@ Footnotes: - 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 +- 5 - Added in Windows 10, next major version
    @@ -2416,6 +2417,34 @@ Footnotes: + +[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5cross markcross mark
    + + + + [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) @@ -2531,6 +2560,34 @@ Footnotes: + +[WiredNetwork CSP](wirednetwork-csp.md) + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark5check mark5check mark5check mark5check mark5check mark5
    + + + + [w7 APPLICATION CSP](w7-application-csp.md) @@ -2568,6 +2625,7 @@ Footnotes: - 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 +- 5 - Added in Windows 10, next major version ## CSP DDF files download @@ -2592,15 +2650,18 @@ The following list shows the configuration service providers supported in Window | [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)| | [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)2 (Provisioning only)| +| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)2 (runtime provisioning via provisioning packages only; no MDM support)| | [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | +| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [VPN2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | @@ -2612,6 +2673,7 @@ The following list shows the configuration service providers supported in Window - 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 +- 5 - Added in Windows 10, next major version ## CSPs supported in Microsoft Surface Hub diff --git a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md index 97eba5a985..e9e64f8c54 100644 --- a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md +++ b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index b813a4a4d1..06c4308457 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 265fa33a9b..d862212b6c 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 4f63cd3e06..3b6a66593b 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index b2c82ca8e5..30c188ac88 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -6,13 +6,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 01/29/2018 +author: MariciaAlforque +ms.date: 07/19/2018 --- # Defender CSP - > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -117,6 +116,9 @@ The following table describes the supported values: | 46 | Behavior | | 47 | Vulnerability | | 48 | Policy | +| 49 | EUS (Enterprise Unwanted Software)| +| 50 | Ransomware | +| 51 | ASR Rule |   @@ -129,19 +131,17 @@ The data type is a integer. The following list shows the supported values: -- 0 = Unknown -- 1 = Detected -- 2 = Cleaned -- 3 = Quarantined -- 4 = Removed -- 5 = Allowed -- 6 = Blocked -- 102 = Clean failed -- 103 = Quarantine failed -- 104 = Remove failed -- 105 = Allow failed -- 106 = Abandoned -- 107 = Block failed +- 0 = Active +- 1 = Action failed +- 2 = Manual steps required +- 3 = Full scan required +- 4 = Reboot required +- 5 = Remediated with non critical failures +- 6 = Quarantined +- 7 = Removed +- 8 = Cleaned +- 9 = Allowed +- 10 = No Status ( Cleared) Supported operation is Get. @@ -178,6 +178,57 @@ An interior node to group information about Windows Defender health status. Supported operation is Get. +**Health/ProductStatus** +Added in Windows 10, next major version. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. + +Data type is integer. Supported operation is Get. + +Supported product status values: +- No status = 0 +- Service not running = 1 << 0 +- Service started without any malware protection engine = 1 << 1 +- Pending full scan due to threat action = 1 << 2 +- Pending reboot due to threat action = 1 << 3 +- ending manual steps due to threat action = 1 << 4 +- AV signatures out of date = 1 << 5 +- AS signatures out of date = 1 << 6 +- No quick scan has happened for a specified period = 1 << 7 +- No full scan has happened for a specified period = 1 << 8 +- System initiated scan in progress = 1 << 9 +- System initiated clean in progress = 1 << 10 +- There are samples pending submission = 1 << 11 +- Product running in evaluation mode = 1 << 12 +- Product running in non-genuine Windows mode = 1 << 13 +- Product expired = 1 << 14 +- Off-line scan required = 1 << 15 +- Service is shutting down as part of system shutdown = 1 << 16 +- Threat remediation failed critically = 1 << 17 +- Threat remediation failed non-critically = 1 << 18 +- No status flags set (well initialized state) = 1 << 19 +- Platform is out of date = 1 << 20 +- Platform update is in progress = 1 << 21 +- Platform is about to be outdated = 1 << 22 +- Signature or platform end of life is past or is impending = 1 << 23 +- Windows SMode signatures still in use on non-Win10S install = 1 << 24 + +Example: + +``` syntax + + + + 1 + + + ./Vendor/MSFT/Defender/Health/ProductStatus + + + + + + +``` + **Health/ComputerState** Provide the current state of the device. @@ -188,9 +239,9 @@ The following list shows the supported values: - 0 = Clean - 1 = Pending full scan - 2 = Pending reboot -- 4 = Pending manual steps +- 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) - 8 = Pending offline scan -- 16 = Pending critical failure +- 16 = Pending critical failure (Windows Defender has failed critically and an Adminsitrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) Supported operation is Get. @@ -314,7 +365,7 @@ Node that can be used to perform signature updates for Windows Defender. Supported operations are Get and Execute. **OfflineScan** -Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. This command causes the computer reboot and start in Windows Defender offline mode to begin the scan. +Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. After the next OS reboot, the device will start in Windows Defender offline mode to begin the scan. Supported operations are Get and Execute. @@ -323,12 +374,3 @@ Supported operations are Get and Execute. [Configuration service provider reference](configuration-service-provider-reference.md) -  - -  - - - - - - diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 4077ab58af..afd02d79f2 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -6,21 +6,18 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 01/29/20178 +author: MariciaAlforque +ms.date: 07/12/2018 --- # Defender DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -46,7 +43,7 @@ The XML below is the current version for this CSP. - com.microsoft/1.1/MDM/Defender + com.microsoft/1.2/MDM/Defender @@ -289,6 +286,26 @@ The XML below is the current version for this CSP. + + ProductStatus + + + + + + + + + + + + + + + text/plain + + + ComputerState diff --git a/windows/client-management/mdm/design-a-custom-windows-csp.md b/windows/client-management/mdm/design-a-custom-windows-csp.md index de5fb5efed..66df907c0c 100644 --- a/windows/client-management/mdm/design-a-custom-windows-csp.md +++ b/windows/client-management/mdm/design-a-custom-windows-csp.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 786d02beff..27dd7bead4 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -6,12 +6,15 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 08/25/2017 +author: MariciaAlforque +ms.date: 07/11/2018 --- # DevDetail CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands. > [!NOTE] @@ -140,7 +143,12 @@ The following diagram shows the DevDetail configuration service provider managem **Ext/Microsoft/TotalRAM**

    Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory). -

    Supported operation is Get. +Supported operation is Get. + +**Ext/Microsoft/SMBIOSSerialNumber** +Added in Windows 10, next major version. SMBIOS Serial Number of the device. + +Value type is string. Supported operation is Get. **Ext/WLANMACAddress**

    The MAC address of the active WLAN connection, as a 12-digit hexadecimal number. diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 9ae9264eea..737bb65143 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -6,17 +6,20 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 12/05/2017 +author: MariciaAlforque +ms.date: 07/11/2018 --- # DevDetail DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -42,7 +45,7 @@ The XML below is the current version for this CSP. - urn:oma:mo:oma-dm-devdetail:1.1 + urn:oma:mo:oma-dm-devdetail:1.2 @@ -525,6 +528,27 @@ The XML below is the current version for this CSP. + + SMBIOSSerialNumber + + + + + SMBIOS Serial Number of the device. + + + + + + + + + + + text/plain + + + WLANMACAddress @@ -676,19 +700,4 @@ The XML below is the current version for this CSP. -``` - -## Related topics - - -[DevDetail configuration service provider](devdetail-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index de3145a84f..f8e2889036 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -6,8 +6,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 06/26/2017 +author: MariciaAlforque +ms.date: 06/26/2018 --- # DeveloperSetup CSP @@ -15,7 +15,7 @@ ms.date: 06/26/2017 The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](https://msdn.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703. > [!NOTE] -The DeveloperSetup configuration service provider (CSP) is supported only in Windows 10 Holographic Enterprise edition and is for provisioning only. +The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM. The following diagram shows the DeveloperSetup configuration service provider in tree format. diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md index 6560f47d5a..6ca207820f 100644 --- a/windows/client-management/mdm/developersetup-ddf.md +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index d00d0a4d57..2e48c36d75 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 11/15/2017 --- @@ -630,7 +630,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > [!Important] > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise. -

    Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet. +

    Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.

    Supported operations are Get and Replace. diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index daa68b5f98..9c8435dbaa 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index d70696fa67..8d44aca043 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index b28ed962ce..11ec6e0bf0 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 3ddbb3dcaa..fb86e76896 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index ebb83615c2..44440337e3 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 25e45dfb80..a20317c21f 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -6,8 +6,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 07/26/2018 --- # DeviceStatus CSP @@ -178,11 +178,24 @@ Supported operation is Get. **DeviceStatus/Antispyware/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the antispyware signature. +Valid values: + +- 0 - The security software reports that it is not the most recent version. +- 1 - The security software reports that it is the most recent version. +- 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + Supported operation is Get. **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. +Valid values: + +- 0 - The status of the security provider category is good and does not need user attention. +- 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). +- 2 - The status of the security provider category is poor and the computer may be at risk. +- 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer. + Supported operation is Get. **DeviceStatus/Firewall** diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 7e4a7a5933..8f0e5a3364 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index b7a165df3b..bbff58b76c 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 114a481554..8b88fb1918 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 8301049541..a0cec11bb0 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -6,14 +6,28 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 06/26/2017 +author: MariciaAlforque +ms.date: 06/25/2018 --- # Diagnose MDM failures in Windows 10 To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs. +## Download the MDM Diagnostic Information log from Windows 10 PCs + +1. On your managed device go to **Settings** > **Accounts** > **Access work or school**. +1. Click your work or school account, then click **Info.** + ![Access work or school page in Settings](images/diagnose-mdm-failures15.png) + +1. At the bottom of the **Settings** page, click **Create report**. + ![Access work or school page in Settings](images/diagnose-mdm-failures16.png) +1. A window opens that shows the path to the log files. Click **Export**. + + ![Access work or school page in Settings](images/diagnose-mdm-failures17.png) + +1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. + ## Collect logs directly from Windows 10 PCs Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: @@ -96,9 +110,9 @@ Example: Export the Debug logs ``` -## Collect logs from Windows 10 Mobile devices +## Collect logs from Windows 10 Mobile devices -Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medic]( http://go.microsoft.com/fwlink/p/?LinkId=718232) app to collect logs. +Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medic](https://www.microsoft.com/en-us/p/field-medic/9wzdncrfjb82?activetab=pivot%3aoverviewtab) app to collect logs. **To collect logs manually** @@ -168,9 +182,9 @@ The following table contains a list of common providers and their corresponding   -## Collect logs remotely from Windows 10 Mobile devices +## Collect logs remotely from Windows 10 Holographic or Windows 10 Mobile devices -For mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md). +For holographic or mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md). You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider: diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 106105c026..4b9157ad49 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 31cee8e1de..4fb7edff7c 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 03e23b59f5..13878c6f74 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index e0a6c7450e..8db057501d 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index 31b0c6a655..93a041f3d1 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 4de7bc9cc1..a33799474c 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -6,16 +6,13 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 11/01/2017 --- # DMClient CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment. The following diagram shows the DMClient configuration service provider in tree format. @@ -661,7 +658,7 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI Supported operations are Add, Delete, Get, and Replace. Value type is string. **Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the the management service provider expects to provision, delimited by the character L"\xF000". +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to provision, delimited by the character L"\xF000". Supported operations are Add, Delete, Get, and Replace. Value type is string. diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index fda5ae3f82..1c171bbb0f 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -6,16 +6,13 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- # DMClient DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **DMClient** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 880ca3e6ec..f035ff93d4 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -16,7 +16,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 6b098de192..6e8aa70785 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index d04dff87aa..e587b4c69f 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index cbe6465b8c..4d50badd48 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index 91f179d6ce..0ca27a4ec0 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 87bea65441..4c66aef7db 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 60e492ca69..dce5177a0f 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index f550a0c9c7..cad330322f 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 3cbe681524..acb4952dea 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index d5799f4611..4c21520591 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 86fa8a02b9..010ca41cad 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 10/04/2017 --- @@ -30,7 +30,7 @@ Here is a partial screenshot of the result: The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. > [!Note] -> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation. +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. @@ -106,7 +106,7 @@ Requirements: - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. -1. Create a Group Policy Object (GPO) and enable the Group Policy **Auto MDM enrollment with AAD token**. +1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. 2. Create a Security Group for the PCs. 3. Link the GPO. 4. Filter using Security Groups. diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index 8aaf17e2a9..755b31d58e 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 9795891e62..ecf0ae28ec 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 99d327d3d4..ebd171a390 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 64e6e98dcb..a17fca7628 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 9b0c5cf24b..006a9353a2 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 1946bb8358..bc28fee863 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 222f582e36..e5f202eacb 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 07/12/2017 --- diff --git a/windows/client-management/mdm/enterpriseassignedaccess-ddf.md b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md index 58a3bf5f04..890112e13c 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-ddf.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md index a95eed6af8..cb651d8548 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index c79f4f55e9..f76ebb330b 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 08/09/2017 --- diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md index eb9a7eb29d..15c68b54d0 100644 --- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 89037bff06..2c036e00e7 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 07/11/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 9b847cedfb..26ff1f5785 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md index 82d8fb2f13..79f6ff63e1 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md index 376700561f..fe887a54e4 100644 --- a/windows/client-management/mdm/enterpriseext-csp.md +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md index 39bca734e1..72451bab66 100644 --- a/windows/client-management/mdm/enterpriseext-ddf.md +++ b/windows/client-management/mdm/enterpriseext-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index ead94360c1..b7afdf089e 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md index b3bd10d28c..eafe9dc1ab 100644 --- a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md +++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 404877f84d..72a33dfc8b 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -6,13 +6,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/01/2018 +author: MariciaAlforque +ms.date: 07/24/2018 --- # EnterpriseModernAppManagement CSP - > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -26,30 +25,30 @@ The following image shows the EnterpriseModernAppManagement configuration servic ![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png) **Device or User context** -

    For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. +For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. > [!Note] > Windows Holographic and Windows 10 Mobile only support per-user configuration of the EnterpriseModernAppManagement CSP. **AppManagement** -

    Required. Used for inventory and app management (post-install). +Required. Used for inventory and app management (post-install). **AppManagement/UpdateScan** -

    Required. Used to start the Windows Update scan. +Required. Used to start the Windows Update scan. -

    Supported operation is Execute. +Supported operation is Execute. **AppManagement/LastScanError** -

    Required. Reports the last error code returned by the update scan. +Required. Reports the last error code returned by the update scan. -

    Supported operation is Get. +Supported operation is Get. **AppManagement/AppInventoryResults** -

    Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation. +Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation. -

    Supported operation is Get. +Supported operation is Get. -

    Here's an example of AppInventoryResults operation. +Here's an example of AppInventoryResults operation. ``` syntax @@ -63,9 +62,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` **AppManagement/AppInventoryQuery** -

    Added in Windows 10, version 1511. Required. Specifies the query for app inventory. +Added in Windows 10, version 1511. Required. Specifies the query for app inventory. -

    Query parameters: +Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Mutiple value must be separate by |. Valid values are: - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. @@ -95,9 +94,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic If you do not specify this value, then all publishers are returned. -

    Supported operation is Get and Replace. +Supported operation is Get and Replace. -

    The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. +The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. ``` syntax @@ -112,9 +111,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` **AppManagement/RemovePackage** -

    Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT. +Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT. -

    Parameters: +Parameters:

    • Package
        @@ -131,9 +130,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic
      -

      Supported operation is Execute. +Supported operation is Execute. -

      The following example removes a package for all users: +The following example removes a package for all users: ````XML @@ -151,30 +150,30 @@ The following image shows the EnterpriseModernAppManagement configuration servic ```` **AppManagement/nonStore** -

      Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store. +Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store. -

      Supported operation is Get. +Supported operation is Get. **AppManagement/System** -

      Reports apps installed as part of the operating system. +Reports apps installed as part of the operating system. -

      Supported operation is Get. +Supported operation is Get. **AppManagement/AppStore** -

      Required. Used for managing apps from the Microsoft Store. +Required. Used for managing apps from the Microsoft Store. -

      Supported operations are Get and Delete. +Supported operations are Get and Delete. **.../****_PackageFamilyName_** -

      Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. +Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. -

      Supported operations are Get and Delete. +Supported operations are Get and Delete. > [!Note] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. -

      Here's an example for uninstalling an app: +Here's an example for uninstalling an app: ``` syntax @@ -194,79 +193,76 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` **.../*PackageFamilyName*/****_PackageFullName_** -

      Optional. Full name of the package installed. +Optional. Full name of the package installed. -

      Supported operations are Get and Delete. +Supported operations are Get and Delete. > [!Note] > XAP files use a product ID in place of PackageFullName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.   **.../*PackageFamilyName*/*PackageFullName*/Name** -

      Required. Name of the app. Value type is string. +Required. Name of the app. Value type is string. -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Version** -

      Required. Version of the app. Value type is string. +Required. Version of the app. Value type is string. -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Publisher** -

      Required. Publisher name of the app. Value type is string. +Required. Publisher name of the app. Value type is string. -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Architecture** -

      Required. Architecture of installed package. Value type is string. +Required. Architecture of installed package. Value type is string. > [!Note] > Not applicable to XAP files.   -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/InstallLocation** -

      Required. Install location of the app on the device. Value type is string. +Required. Install location of the app on the device. Value type is string. > [!Note] > Not applicable to XAP files.   - -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsFramework** -

      Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. +Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. > [!Note] > Not applicable to XAP files. -  -

      Supported operation is Get. + Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsBundle** -

      Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. +Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/InstallDate** -

      Required. Date the app was installed. Value type is string. +Required. Date the app was installed. Value type is string. -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/ResourceID** -

      Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string. +Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string. > [!Note] > Not applicable to XAP files. -   -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/PackageStatus** -

      Required. Provides information about the status of the package. Value type is int. Valid values are: +Required. Provides information about the status of the package. Value type is int. Valid values are: - OK (0) - The package is usable. - LicenseIssue (1) - The license of the package is not valid. @@ -277,50 +273,47 @@ The following image shows the EnterpriseModernAppManagement configuration servic > [!Note] > Not applicable to XAP files. -  - -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall** -

      Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int. +Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int. > [!Note] > Not applicable to XAP files. -   -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Users** -

      Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string. +Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string. - Not Installed = 0 - Staged = 1 - Installed = 2 - Paused = 6 -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsProvisioned** -

      Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. +Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. -

      Supported operation is Get. +Supported operation is Get. **.../*PackageFamilyName*/DoNotUpdate** -

      Required. Specifies whether you want to block a specific app from being updated via auto-updates. +Required. Specifies whether you want to block a specific app from being updated via auto-updates. -

      Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. **.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT) -

      Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context. +Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context. **.../*PackageFamilyName*/AppSettingPolicy/****_SettingValue_** (only for ./User/Vendor/MSFT) -

      Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. +Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. -

      This setting only works for apps that support the feature and it is only supported in the user context. +This setting only works for apps that support the feature and it is only supported in the user context. -

      Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. Supported operations are Add, Get, Replace, and Delete. -

      The following example sets the value for the 'Server' +The following example sets the value for the 'Server' ``` syntax @@ -338,7 +331,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` -

      The following example gets all managed app settings for a specific app. +The following example gets all managed app settings for a specific app. ``` syntax @@ -352,7 +345,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic ``` -**.../*PackageFamilyName*/MaintainProcessorArchitectureOnUpdate** +**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate** Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. Supported operations are Add, Get, Delete, and Replace. Value type is integer. @@ -366,32 +359,125 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M |True |Disabled |X86 flavor is picked | |False (not set) |Not configured |X64 flavor is picked | +**.../_PackageFamilyName_/NonRemovable** +Added in Windows 10, next major version. Specifies if an app is nonremovable by the user. + +This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users. + +NonRemovable requires admin permission. This can only be set per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. + +Value type is integer. Supported operations are Add, Get, and Replace. + +Valid values: +- 0 – app is not in the nonremovable app policy list +- 1 – app is included in the nonremovable app policy list + +**Examples:** + +Add an app to the nonremovable app policy list +``` + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 1 + + + + + +``` + +Delete an app from the nonremovable app policy list +``` + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + + + + +``` + +Get the status for a particular app +``` + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + + + + +``` + +Replace an app in the nonremovable app policy list +Data 0 = app is not in the app policy list +Data 1 = app is in the app policy list +``` + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable + + + int + + 0 + + + + + +``` + **AppInstallation** -

      Required node. Used to perform app installation. +Required node. Used to perform app installation. **AppInstallation/****_PackageFamilyName_** -

      Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. +Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. -

      Supported operations are Get and Add. +Supported operations are Get and Add. > [!Note] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.   **AppInstallation/*PackageFamilyName*/StoreInstall** -

      Required. Command to perform an install of an app and a license from the Microsoft Store. +Required. Command to perform an install of an app and a license from the Microsoft Store. -

      Supported operation is Execute, Add, Delete, and Get. +Supported operation is Execute, Add, Delete, and Get. **AppInstallation/*PackageFamilyName*/HostedInstall** -

      Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). +Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). -

      Supported operation is Execute, Add, Delete, and Get. +Supported operation is Execute, Add, Delete, and Get. **AppInstallation/*PackageFamilyName*/LastError** -

      Required. Last error relating to the app installation. +Required. Last error relating to the app installation. -

      Supported operation is Get. +Supported operation is Get. > [!Note] > This element is not present after the app is installed. @@ -399,50 +485,50 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M   **AppInstallation/*PackageFamilyName*/LastErrorDescription** -

      Required. Description of last error relating to the app installation. +Required. Description of last error relating to the app installation. -

      Supported operation is Get. +Supported operation is Get. > [!Note] > This element is not present after the app is installed.   **AppInstallation/*PackageFamilyName*/Status** -

      Required. Status of app installation. The following values are returned: +Required. Status of app installation. The following values are returned: - NOT\_INSTALLED (0) - The node was added, but the execution has not completed. - INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. - INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. -

      Supported operation is Get. +Supported operation is Get. > [!Note] > This element is not present after the app is installed.   **AppInstallation/*PackageFamilyName*/ProgessStatus** -

      Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). +Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). -

      Supported operation is Get. +Supported operation is Get. > [!Note] > This element is not present after the app is installed.   **AppLicenses** -

      Required node. Used to manage licenses for app scenarios. +Required node. Used to manage licenses for app scenarios. **AppLicenses/StoreLicenses** -

      Required node. Used to manage licenses for store apps. +Required node. Used to manage licenses for store apps. **AppLicenses/StoreLicenses/****_LicenseID_** -

      Optional node. License ID for a store installed app. The license ID is generally the PFN of the app. +Optional node. License ID for a store installed app. The license ID is generally the PFN of the app. -

      Supported operations are Add, Get, and Delete. +Supported operations are Add, Get, and Delete. **AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory** -

      Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value: +Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value: - Unknown - unknown license category - Retail - license sold through retail channels, typically from the Microsoft Store @@ -450,39 +536,39 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M - OEM - license issued to an OEM - Developer - developer license, typically installed during the app development or side-loading scernarios. -

      Supported operation is Get. +Supported operation is Get. **AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage** -

      Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values: +Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values: - Unknown - usage is unknown - Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. - Offline - license is valid for use offline. You don't need a connection to the internet to use this license. - Enterprise Root - -

      Supported operation is Get. +Supported operation is Get. **AppLicenses/StoreLicenses/*LicenseID*/RequesterID** -

      Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. +Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. -

      Supported operation is Get. +Supported operation is Get. **AppLicenses/StoreLicenses/*LicenseID*/AddLicense** -

      Required. Command to add license. +Required. Command to add license. -

      Supported operation is Execute. +Supported operation is Execute. **AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore** -

      Added in Windows 10, version 1511. Required. Command to get license from the store. +Added in Windows 10, version 1511. Required. Command to get license from the store. -

      Supported operation is Execute. +Supported operation is Execute. ## Examples -

      For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). +For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). -

      Query the device for a specific app subcategory, such as nonStore apps. +Query the device for a specific app subcategory, such as nonStore apps. ``` syntax @@ -495,9 +581,9 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M ``` -

      The result contains a list of apps, such as <Data>App1/App2/App3</Data>. +The result contains a list of apps, such as <Data>App1/App2/App3</Data>. -

      Subsequent query for a specific app for its properties. +Subsequent query for a specific app for its properties. ``` syntax diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 7c3c1c855b..fe58f406bd 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -6,13 +6,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/01/2018 +author: MariciaAlforque +ms.date: 07/23/2018 --- # EnterpriseModernAppManagement DDF - > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -20,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Enterpr Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, version 1803. +The XML below is for Windows 10, next major version. ``` syntax @@ -29,41 +28,85 @@ The XML below is for Windows 10, version 1803. []> 1.2 + + EnterpriseModernAppManagement + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + AppManagement + + + + + + + + + + + + + + + + + - EnterpriseModernAppManagement - ./Vendor/MSFT + + + - + - + + EnterpriseID - AppManagement + + + - + - + + PackageFamilyName @@ -79,632 +122,19 @@ The XML below is for Windows 10, version 1803. - - - - - - - EnterpriseID - - - - - - - - - - - - - - - - - - - - - - PackageFamilyName - - - - - - - - - - - - - - - - - - - - - - PackageFullName - - - - - - Name - - - - - - - - - - - - - - - text/plain - - - - - Version - - - - - - - - - - - - - - - text/plain - - - - - Publisher - - - - - - - - - - - - - - - text/plain - - - - - Architecture - - - - - - - - - - - - - - - text/plain - - - - - InstallLocation - - - - - - - - - - - - - - - text/plain - - - - - IsFramework - - - - - - - - - - - - - - - text/plain - - - - - IsBundle - - - - - - - - - - - - - - - text/plain - - - - - InstallDate - - - - - - - - - - - - - - - text/plain - - - - - ResourceID - - - - - - - - - - - - - - - text/plain - - - - - PackageStatus - - - - - - - - - - - - - - - text/plain - - - - - RequiresReinstall - - - - - - - - - - - - - - - text/plain - - - - - Users - - - - - - - - - - - - - - - text/plain - - - - - IsProvisioned - - - - - - - - - - - - - - - text/plain - - - - - - DoNotUpdate - - - - - - - - - - - - - - - - - DoNotUpdate - - text/plain - - - - - AppSettingPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SettingValue - - text/plain - - - - - - MaintainProcessorArchitectureOnUpdate - - - - - - - - - - - - - - - - - MaintainProcessorArchitectureOnUpdate - - text/plain - - - - - - - UpdateScan - - - - - - - - - - - - - - - text/plain - - - - - LastScanError - - - - - - - - - - - - - - - text/plain - - - - - AppInventoryResults - - - - - - - - - - - - - - - text/plain - - - - - AppInventoryQuery - - - - - - - - - - - - - - - - text/plain - - - - - RemovePackage - - - - - - - - - - - - - - - - text/plain - - - - - - AppInstallation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PackageFamilyName + PackageFullName - StoreInstall - - - - - - - - - - - - - - - - - - text/plain - - - - - HostedInstall - - - - - - - - - - - - - - - - - - text/plain - - - - - LastError - - - - - - - - - - - - - - - text/plain - - - - - LastErrorDesc + Name @@ -724,7 +154,87 @@ The XML below is for Windows 10, version 1803. - Status + Version + + + + + + + + + + + + + + + text/plain + + + + + Publisher + + + + + + + + + + + + + + + text/plain + + + + + Architecture + + + + + + + + + + + + + + + text/plain + + + + + InstallLocation + + + + + + + + + + + + + + + text/plain + + + + + IsFramework @@ -744,7 +254,127 @@ The XML below is for Windows 10, version 1803. - ProgressStatus + IsBundle + + + + + + + + + + + + + + + text/plain + + + + + InstallDate + + + + + + + + + + + + + + + text/plain + + + + + ResourceID + + + + + + + + + + + + + + + text/plain + + + + + PackageStatus + + + + + + + + + + + + + + + text/plain + + + + + RequiresReinstall + + + + + + + + + + + + + + + text/plain + + + + + Users + + + + + + + + + + + + + + + text/plain + + + + + IsProvisioned @@ -764,31 +394,38 @@ The XML below is for Windows 10, version 1803. - - - AppLicenses - - - - - - - - - - - - - - - - - - StoreLicenses + DoNotUpdate + + + + + + + + + + + + + + DoNotUpdate + + text/plain + + + + + AppSettingPolicy + + + + + + @@ -797,7 +434,7 @@ The XML below is for Windows 10, version 1803. - + @@ -810,9 +447,10 @@ The XML below is for Windows 10, version 1803. + - + @@ -820,13 +458,171 @@ The XML below is for Windows 10, version 1803. - LicenseID + SettingValue + + text/plain + + + + + + MaintainProcessorArchitectureOnUpdate + + + + + + + + + + + + + + + + + MaintainProcessorArchitectureOnUpdate + + text/plain + + + + + NonRemovable + + + + + + + + + + + + + + + + NonRemovable + + text/plain + + + + + + ReleaseManagement + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ReleaseManagementKey + + + + + + ChannelId + + + + + + + + + + + + + + + + + + text/plain + + + + + ReleaseId + + + + + + + + + + + + + + + + + + text/plain + + + + + EffectiveRelease + + + + + + + + + + + + + - LicenseCategory + ChannelId @@ -835,7 +631,7 @@ The XML below is for Windows 10, version 1803. - + @@ -846,7 +642,7 @@ The XML below is for Windows 10, version 1803. - LicenseUsage + ReleaseId @@ -855,67 +651,7 @@ The XML below is for Windows 10, version 1803. - - - - - - - text/plain - - - - - RequesterID - - - - - - - - - - - - - - - text/plain - - - - - AddLicense - - - - - - - - - - - - - - - text/plain - - - - - GetLicenseFromStore - - - - - - - - - + @@ -929,19 +665,442 @@ The XML below is for Windows 10, version 1803. + + UpdateScan + + + + + + + + + + + + + + + text/plain + + + + + LastScanError + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryResults + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryQuery + + + + + + + + + + + + + + + + text/plain + + + + + RemovePackage + + + + + + + + + + + + + + + + text/plain + + + + + + AppInstallation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PackageFamilyName + + + + + + StoreInstall + + + + + + + + + + + + + + + + + + text/plain + + + + + HostedInstall + + + + + + + + + + + + + + + + + + text/plain + + + + + LastError + + + + + + + + + + + + + + + text/plain + + + + + LastErrorDesc + + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + ProgressStatus + + + + + + + + + + + + + + + text/plain + + + + + + + AppLicenses + + + + + + + + + + + + + + + + + + + StoreLicenses + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + LicenseID + + + + + + LicenseCategory + + + + + + + + + + + + + + + text/plain + + + + + LicenseUsage + + + + + + + + + + + + + + + text/plain + + + + + RequesterID + + + + + + + + + + + + + + + text/plain + + + + + AddLicense + + + + + + + + + + + + + + + text/plain + + + + + GetLicenseFromStore + + + + + + + + + + + + + + + text/plain + + + + + + + -``` - -## Related topics - -[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index b962018dfd..3c81c009ea 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index eb5f1186ce..8e493b7fa5 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/02/2018 --- diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 06be1ba347..6649a7a42d 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/02/2018 --- diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 891a590e8b..22ee108fb4 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 07/28/2017 --- diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index cf58cd9eec..5e2ce038a2 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 1330e71e5a..2a75d65c24 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 01/26/2018 --- @@ -14,7 +14,7 @@ ms.date: 01/26/2018 The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. -Firewall configuration commands must be wrapped in an Atomic block in SyncML. +Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively. For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx). @@ -150,7 +150,7 @@ The following diagram shows the Firewall configuration service provider in tree

      Value type is bool. Supported operations are Add, Get and Replace.

      **/DefaultOutboundAction** -

      This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

      +

      This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.

      • 0x00000000 - allow
      • 0x00000001 - block
        • @@ -158,6 +158,30 @@ The following diagram shows the Firewall configuration service provider in tree

        Default value is 0 (allow).

        Value type is integer. Supported operations are Add, Get and Replace.

        +Sample syncxml to provision the firewall settings to evaluate + +``` syntax + + + + + + 2010 + + + ./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultOutboundAction + + + int + + 1 + + + + + + +``` **/DefaultInboundAction**

        This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

          @@ -260,7 +284,7 @@ The following diagram shows the Firewall configuration service provider in tree **FirewallRules/_FirewallRuleName_/Enabled**

          Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -

          If not specified - a new rule is disabled by default.

          +

          If not specified - a new rule is enabled by default.

          Boolean value. Supported operations are Get and Replace.

          **FirewallRules/_FirewallRuleName_/Profiles** @@ -286,7 +310,7 @@ The following diagram shows the Firewall configuration service provider in tree
          • IN - the rule applies to inbound traffic.
          • OUT - the rule applies to outbound traffic.
            • -
          • If not specified, the default is IN.
            • +
          • If not specified, the default is Out.

          Value type is string. Supported operations are Get and Replace.

          @@ -307,7 +331,7 @@ The following diagram shows the Firewall configuration service provider in tree

          New rules have the EdgeTraversal property disabled by default.

          Value type is bool. Supported operations are Add, Get, Replace, and Delete.

          -**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList** +**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList**

          Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.

          Value type is string. Supported operations are Add, Get, Replace, and Delete.

          diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 6dbc4367bb..f9a9e98d71 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md index 996288488b..b40c8c4274 100644 --- a/windows/client-management/mdm/get-inventory.md +++ b/windows/client-management/mdm/get-inventory.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index 9c23d4096b..990c816be4 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index 44417ff92c..65ae6a7b6a 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index c1d6da5658..30ec8b7d37 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index f851fbc6e7..15dd879715 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md index 115cc191c9..cda326c9e5 100644 --- a/windows/client-management/mdm/get-product-packages.md +++ b/windows/client-management/mdm/get-product-packages.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index 0ac45f69ca..ae6f05d26d 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md index 4c1e6bb379..1209d5aa2a 100644 --- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index 029fc4f030..f65e6988e2 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index dcb5b491fd..a08bdd89b6 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- @@ -138,11 +138,11 @@ The following is a list of functions performed by the Device HealthAttestation C Device Health Attestation – On Premise

          (DHA-OnPrem)

          -

          DHA-OnPrem refers to DHA-Service that is running on premise:

          +

          DHA-OnPrem refers to DHA-Service that is running on premises:

          • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
          • Hosted on an enterprise owned and managed server device/hardware
            • -
          • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios
            • +
          • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios

          • Accessible to all enterprise managed devices via following:

            • FQDN = (enterprise assigned)
              • @@ -151,14 +151,14 @@ The following is a list of functions performed by the Device HealthAttestation C
          -The operation cost of running one or more instances of Server 2016 on premise. +The operation cost of running one or more instances of Server 2016 on-premises. Device Health Attestation - Enterprise Managed Cloud

          (DHA-EMC)

          DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.

          • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
            • -
          • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios
            • +
          • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios

          • Accessible to all enterprise managed devices via following:

            • FQDN = (enterprise assigned)
              • @@ -304,7 +304,7 @@ SSL-Session: There are three types of DHA-Service: - Device Health Attestation – Cloud (owned and operated by Microsoft) -- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premise) +- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises) - Device Health Attestation - Enterprise Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise managed cloud) DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider. diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 5268078e48..8296982379 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 20ac4822c5..87aa4a054e 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/iconfigserviceprovider2.md b/windows/client-management/mdm/iconfigserviceprovider2.md index 6ddf6d6d93..fbdb51d309 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2.md +++ b/windows/client-management/mdm/iconfigserviceprovider2.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md index 74f076cc41..1ae5155478 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md +++ b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/iconfigserviceprovider2getnode.md b/windows/client-management/mdm/iconfigserviceprovider2getnode.md index 4fd62bc432..df315b2ba4 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2getnode.md +++ b/windows/client-management/mdm/iconfigserviceprovider2getnode.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnode.md b/windows/client-management/mdm/icspnode.md index 23e39b227c..dedf93e0b1 100644 --- a/windows/client-management/mdm/icspnode.md +++ b/windows/client-management/mdm/icspnode.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodeadd.md b/windows/client-management/mdm/icspnodeadd.md index 81fb9d967d..504d0751e1 100644 --- a/windows/client-management/mdm/icspnodeadd.md +++ b/windows/client-management/mdm/icspnodeadd.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodeclear.md b/windows/client-management/mdm/icspnodeclear.md index 355577e43e..2c0e45ea99 100644 --- a/windows/client-management/mdm/icspnodeclear.md +++ b/windows/client-management/mdm/icspnodeclear.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodecopy.md b/windows/client-management/mdm/icspnodecopy.md index b9822fc38b..1061d2b6b9 100644 --- a/windows/client-management/mdm/icspnodecopy.md +++ b/windows/client-management/mdm/icspnodecopy.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodedeletechild.md b/windows/client-management/mdm/icspnodedeletechild.md index 92497291bf..147c0f4af3 100644 --- a/windows/client-management/mdm/icspnodedeletechild.md +++ b/windows/client-management/mdm/icspnodedeletechild.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodedeleteproperty.md b/windows/client-management/mdm/icspnodedeleteproperty.md index 3b2c6743d4..b771500d38 100644 --- a/windows/client-management/mdm/icspnodedeleteproperty.md +++ b/windows/client-management/mdm/icspnodedeleteproperty.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodeexecute.md b/windows/client-management/mdm/icspnodeexecute.md index b1fba31565..12c428de69 100644 --- a/windows/client-management/mdm/icspnodeexecute.md +++ b/windows/client-management/mdm/icspnodeexecute.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodegetchildnodenames.md b/windows/client-management/mdm/icspnodegetchildnodenames.md index 3ea4793494..72d72c56ac 100644 --- a/windows/client-management/mdm/icspnodegetchildnodenames.md +++ b/windows/client-management/mdm/icspnodegetchildnodenames.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodegetproperty.md b/windows/client-management/mdm/icspnodegetproperty.md index daaffe8564..0778b71554 100644 --- a/windows/client-management/mdm/icspnodegetproperty.md +++ b/windows/client-management/mdm/icspnodegetproperty.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md index 5ede9f4479..d0c557b04f 100644 --- a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md +++ b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodegetvalue.md b/windows/client-management/mdm/icspnodegetvalue.md index 6446023340..6207cb507c 100644 --- a/windows/client-management/mdm/icspnodegetvalue.md +++ b/windows/client-management/mdm/icspnodegetvalue.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodemove.md b/windows/client-management/mdm/icspnodemove.md index 4f146bc36c..5540b3727d 100644 --- a/windows/client-management/mdm/icspnodemove.md +++ b/windows/client-management/mdm/icspnodemove.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodesetproperty.md b/windows/client-management/mdm/icspnodesetproperty.md index 2bbf25984e..6f455d56f5 100644 --- a/windows/client-management/mdm/icspnodesetproperty.md +++ b/windows/client-management/mdm/icspnodesetproperty.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodesetvalue.md b/windows/client-management/mdm/icspnodesetvalue.md index 87308b0f06..eff2b58e9e 100644 --- a/windows/client-management/mdm/icspnodesetvalue.md +++ b/windows/client-management/mdm/icspnodesetvalue.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspnodetransactioning.md b/windows/client-management/mdm/icspnodetransactioning.md index abb73632ec..4bb80100aa 100644 --- a/windows/client-management/mdm/icspnodetransactioning.md +++ b/windows/client-management/mdm/icspnodetransactioning.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/icspvalidate.md b/windows/client-management/mdm/icspvalidate.md index d981ff560b..f1c05d21fd 100644 --- a/windows/client-management/mdm/icspvalidate.md +++ b/windows/client-management/mdm/icspvalidate.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures15.png b/windows/client-management/mdm/images/diagnose-mdm-failures15.png new file mode 100644 index 0000000000..b1bd7207f3 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures15.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures16.png b/windows/client-management/mdm/images/diagnose-mdm-failures16.png new file mode 100644 index 0000000000..0429b58b91 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures16.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures17.png b/windows/client-management/mdm/images/diagnose-mdm-failures17.png new file mode 100644 index 0000000000..4271e4f52d Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures17.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-bitlocker.png b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png index e19bae9106..cc7920f7f5 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-bitlocker.png and b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png index 4d90f1b6f2..fa27e9baf2 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png index 3145a82ea4..f5cf62ff0f 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png index a28f41fe6a..95d2fcf840 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png index f12f2fbd44..af267f4f6d 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png and b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png index 58ee388b92..a066d9261e 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-wifi.png b/windows/client-management/mdm/images/provisioning-csp-wifi.png index 463a784f95..f5891084ea 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-wifi.png and b/windows/client-management/mdm/images/provisioning-csp-wifi.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-win32compatibilityappraiser.png b/windows/client-management/mdm/images/provisioning-csp-win32compatibilityappraiser.png new file mode 100644 index 0000000000..a15961bbcc Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-win32compatibilityappraiser.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png index c8f2721143..0f5e318d8f 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png and b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png index 82d66f6742..3345eb730c 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png and b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-wirednetwork.png b/windows/client-management/mdm/images/provisioning-csp-wirednetwork.png new file mode 100644 index 0000000000..2fd93631ff Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-wirednetwork.png differ diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 2c178ee251..3fe6fa5ee0 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 85f15ea285..350fa8e7f2 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 17a5ef28d6..933ae47c17 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 10/27/2017 --- diff --git a/windows/client-management/mdm/maps-csp.md b/windows/client-management/mdm/maps-csp.md index 6c33cbb2b3..85296234bf 100644 --- a/windows/client-management/mdm/maps-csp.md +++ b/windows/client-management/mdm/maps-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/maps-ddf-file.md b/windows/client-management/mdm/maps-ddf-file.md index ac17e5b0f5..b0788414da 100644 --- a/windows/client-management/mdm/maps-ddf-file.md +++ b/windows/client-management/mdm/maps-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 72566a2607..c841ddef41 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 11/15/2017 --- diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index e9562286e3..a8b9de322a 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/messaging-ddf.md b/windows/client-management/mdm/messaging-ddf.md index f5d34d958c..67dc397e58 100644 --- a/windows/client-management/mdm/messaging-ddf.md +++ b/windows/client-management/mdm/messaging-ddf.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 2fe9ccfab5..7b07a5a2d0 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 08/11/2017 --- @@ -62,7 +62,7 @@ The following topics describe the end-to-end enrollment process using various au ## Enrollment support for domain-joined devices   -Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. +Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. ## Disable MDM enrollments diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index b82b5779fd..1b3e56a680 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/22/2018 --- # MultiSIM CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803. diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md index ccdbecbaee..54c76ae742 100644 --- a/windows/client-management/mdm/multisim-ddf.md +++ b/windows/client-management/mdm/multisim-ddf.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 02/27/2018 --- # MultiSIM CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **MultiSIM** configuration service provider. diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index 8543181e2c..ba2ef8f0b2 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 0e8a673820..f94af70c0f 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 6348228427..fcc6d7386e 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/12/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # NetworkProxy CSP @@ -34,7 +34,10 @@ The following diagram shows the NetworkProxy configuration service provider in t The root node for the NetworkProxy configuration service provider..

              **ProxySettingsPerUser** -Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide; set to 1 for proxy configuratio per user. +Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide. + +> [!Note] +> Per user proxy configuration setting is not supported. **AutoDetect** Automatically detect settings. If enabled, the system tries to find the path to a PAC script.

              diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index 096ec6d25a..b8fbd90dbc 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index c231223bc4..4ccc4536e2 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index fa7dc5e2fc..12c6572869 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 2eb1f56941..178b014d5f 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -9,17 +9,13 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/26/2018 +author: MariciaAlforque +ms.date: 07/27/2018 --- # What's new in MDM enrollment and management -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). @@ -31,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What's new in Windows 10, version 1703](#whatsnew10) - [What's new in Windows 10, version 1709](#whatsnew1709) - [What's new in Windows 10, version 1803](#whatsnew1803) +- [What's new in Windows 10, next major version](#whatsnewnext) - [Change history in MDM documentation](#change-history-in-mdm-documentation) - [Breaking changes and known issues](#breaking-changes-and-known-issues) - [Get command inside an atomic command is not supported](#getcommand) @@ -938,7 +935,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
            • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
            • DomainName - fully qualified domain name if the device is domain-joined.
            -

            For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.

            +

            For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

            [Firewall CSP](firewall-csp.md) @@ -1143,9 +1140,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s [Policy CSP](policy-configuration-service-provider.md)

            Added the following new policies for Windows 10, version 1803:

              -
            • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration
              • -
            • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold
              • -
            • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter
            • ApplicationDefaults/EnableAppUriHandlers
            • ApplicationManagement/MSIAllowUserControlOverInstall
            • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
              • @@ -1189,7 +1183,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
            • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
              • -
            • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
            • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
              • @@ -1202,7 +1195,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
            • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
            • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
            • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
              • -
            • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
              • +
            • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
              • +
            • Notifications/DisallowCloudNotification
            • RestrictedGroups/ConfigureGroupMembership
            • Search/AllowCortanaInAAD
            • Search/DoNotUseWebResults
              • @@ -1215,7 +1209,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
            • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
            • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
            • TaskScheduler/EnableXboxGameSaveTask
              • -
            • TextInput/AllowHardwareKeyboardTextSuggestions
            • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
            • TextInput/ForceTouchKeyboardDockedState
            • TextInput/TouchKeyboardDictationButtonAvailability
              • @@ -1268,10 +1261,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s

              Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

              -[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) -

              Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, version 1803.

              - - [DMClient CSP](dmclient-csp.md)

              Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

                @@ -1359,12 +1348,131 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                Added a new CSP in Windows 10, version 1803.

                +[MDM Migration Analysis Too (MMAT)](http://aka.ms/mmat) +

                Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

                + + [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)

                Added the DDF download of Windows 10, version 1803 configuration service providers.

                +## What's new in Windows 10, next major version + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                New or updated topicDescription
                [Policy CSP](policy-configuration-service-provider.md)

                Added the following new policies in Windows 10, next major version:

                +
                  +
                • ApplicationManagement/LaunchAppAfterLogOn
                  • +
                • ApplicationManagement/ScheduleForceRestartForUpdateFailures
                  • +
                • Authentication/EnableFastFirstSignIn
                  • +
                • Authentication/EnableWebSignIn
                  • +
                • Authentication/PreferredAadTenantDomainName
                  • +
                • Browser/AllowFullScreenMode
                  • +
                • Browser/AllowPrelaunch
                  • +
                • Browser/AllowPrinting
                  • +
                • Browser/AllowSavingHistory
                  • +
                • Browser/AllowSideloadingOfExtensions
                  • +
                • Browser/AllowTabPreloading
                  • +
                • Browser/AllowWebContentOnNewTabPage
                  • +
                • Browser/ConfigureFavoritesBar
                  • +
                • Browser/ConfigureHomeButton
                  • +
                • Browser/ConfigureKioskMode
                  • +
                • Browser/ConfigureKioskResetAfterIdleTimeout
                  • +
                • Browser/ConfigureOpenMicrosoftEdgeWith
                  • +
                • Browser/ConfigureTelemetryForMicrosoft365Analytics
                  • +
                • Browser/ForceEnabledExtensions
                  • +
                • Browser/PreventCertErrorOverrides
                  • +
                • Browser/SetHomeButtonURL
                  • +
                • Browser/SetNewTabPageURL
                  • +
                • Browser/UnlockHomeButton
                  • +
                • Defender/CheckForSignaturesBeforeRunningScan
                  • +
                • Defender/DisableCatchupFullScan
                  • +
                • Defender/DisableCatchupQuickScan
                  • +
                • Defender/EnableLowCPUPriority
                  • +
                • Defender/SignatureUpdateFallbackOrder
                  • +
                • Defender/SignatureUpdateFileSharesSources
                  • +
                • DeviceGuard/EnableSystemGuard
                  • +
                • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
                  • +
                • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
                  • +
                • DeviceInstallation/PreventDeviceMetadataFromNetwork
                  • +
                • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
                  • +
                • DmaGuard/DeviceEnumerationPolicy
                  • +
                • Experience/AllowClipboardHistory
                  • +
                • Experience/DoNotSyncBrowserSetting
                  • +
                • Experience/PreventUsersFromTurningOnBrowserSyncing
                  • +
                • Privacy/AllowCrossDeviceClipboard
                  • +
                • Privacy/UploadUserActivities
                  • +
                • Security/RecoveryEnvironmentAuthentication
                  • +
                • TaskManager/AllowEndTask
                  • +
                • Update/EngagedRestartDeadlineForFeatureUpdates
                  • +
                • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
                  • +
                • Update/EngagedRestartTransitionScheduleForFeatureUpdates
                  • +
                • Update/SetDisablePauseUXAccess
                  • +
                • Update/SetDisableUXWUAccess
                  • +
                • WindowsDefenderSecurityCenter/DisableClearTpmButton
                  • +
                • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
                  • +
                • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
                  • +
                • WindowsLogon/DontDisplayNetworkSelectionUI
                  • +
                +
                [PassportForWork CSP](passportforwork-csp.md)

                Added new settings in Windows 10, next major version.

                +
                [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

                Added NonRemovable setting under AppManagement node in Windows 10, next major version.

                +
                [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)

                Added new configuration service provider in Windows 10, next major version.

                +
                [WindowsLicensing CSP](windowslicensing-csp.md)

                Added S mode settings and SyncML examples in Windows 10, next major version.

                +
                [SUPL CSP](supl-csp.md)

                Added 3 new certificate nodes in Windows 10, next major version.

                +
                [Defender CSP](defender-csp.md)

                Added a new node Health/ProductStatus in Windows 10, next major version.

                +
                [BitLocker CSP](bitlocker-csp.md)

                Added a new node AllowStandardUserEncryption in Windows 10, next major version.

                +
                [DevDetail CSP](devdetail-csp.md)

                Added a new node SMBIOSSerialNumber in Windows 10, next major version.

                +
                [Wifi CSP](wifi-csp.md)

                Added a new node WifiCost in Windows 10, next major version.

                +
                [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)

                Added new settings in Windows 10, next major version.

                +
                + + ## Breaking changes and known issues ### Get command inside an atomic command is not supported @@ -1604,7 +1712,8 @@ Alternatively you can use the following procedure to create an EAP Configuration 7. Close the rasphone dialog box. 8. Continue following the procedure in the [EAP configuration](eap-configuration.md) topic from Step 9 to get an EAP TLS profile with appropriate filtering. -> **Note**  You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic. +>[!NOTE] +>You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic. ### Remote PIN reset not supported in Azure Active Directory joined mobile devices @@ -1621,7 +1730,7 @@ In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the ### Requirements to note for VPN certificates also used for Kerberos Authentication -If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premise resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone. +If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone. ### Device management agent for the push-button reset is not working @@ -1630,6 +1739,235 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### August 2018 + + ++++ + + + + + + + + + + + + + + + + + +
                New or updated topicDescription
                [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)

                Added new settings in Windows 10, next major version.

                +
                [Policy DDF file](policy-ddf-file.md)

                Posted an updated version of the Policy DDF for Windows 10, next major version.

                +
                [Policy CSP](policy-configuration-service-provider.md)

                Added the following new policies in Windows 10, next major version:

                +
                  +
                • Browser/AllowFullScreenMode
                  • +
                • Browser/AllowPrelaunch
                  • +
                • Browser/AllowPrinting
                  • +
                • Browser/AllowSavingHistory
                  • +
                • Browser/AllowSideloadingOfExtensions
                  • +
                • Browser/AllowTabPreloading
                  • +
                • Browser/AllowWebContentOnNewTabPage
                  • +
                • Browser/ConfigureFavoritesBar
                  • +
                • Browser/ConfigureHomeButton
                  • +
                • Browser/ConfigureKioskMode
                  • +
                • Browser/ConfigureKioskResetAfterIdleTimeout
                  • +
                • Browser/ConfigureOpenMicrosoftEdgeWith
                  • +
                • Browser/ConfigureTelemetryForMicrosoft365Analytics
                  • +
                • Browser/ForceEnabledExtensions
                  • +
                • Browser/PreventCertErrorOverrides
                  • +
                • Browser/SetHomeButtonURL
                  • +
                • Browser/SetNewTabPageURL
                  • +
                • Browser/UnlockHomeButton
                  • +
                • Experience/DoNotSyncBrowserSetting
                  • +
                • Experience/PreventUsersFromTurningOnBrowserSyncing
                  • +
                • Privacy/AllowCrossDeviceClipboard
                  • +
                • Privacy/UploadUserActivities
                  • +
                • Update/UpdateNotificationLevel
                  • +
                +
                + +### July 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                New or updated topicDescription
                [AssignedAccess CSP](assignedaccess-csp.md)

                Added the following note:

                +
                  +
                • You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
                  • +
                +
                [PassportForWork CSP](passportforwork-csp.md)

                Added new settings in Windows 10, next major version.

                +
                [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

                Added NonRemovable setting under AppManagement node in Windows 10, next major version.

                +
                [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)

                Added new configuration service provider in Windows 10, next major version.

                +
                [WindowsLicensing CSP](windowslicensing-csp.md)

                Added S mode settings and SyncML examples in Windows 10, next major version.

                +
                [SUPL CSP](supl-csp.md)

                Added 3 new certificate nodes in Windows 10, next major version.

                +
                [Defender CSP](defender-csp.md)

                Added a new node Health/ProductStatus in Windows 10, next major version.

                +
                [BitLocker CSP](bitlocker-csp.md)

                Added a new node AllowStandardUserEncryption in Windows 10, next major version.

                +
                [DevDetail CSP](devdetail-csp.md)

                Added a new node SMBIOSSerialNumber in Windows 10, next major version.

                +
                [Policy CSP](policy-configuration-service-provider.md)

                Added the following new policies in Windows 10, next major version:

                +
                  +
                • ApplicationManagement/LaunchAppAfterLogOn
                  • +
                • ApplicationManagement/ScheduleForceRestartForUpdateFailures
                  • +
                • Authentication/EnableFastFirstSignIn
                  • +
                • Authentication/EnableWebSignIn
                  • +
                • Authentication/PreferredAadTenantDomainName
                  • +
                • Defender/CheckForSignaturesBeforeRunningScan
                  • +
                • Defender/DisableCatchupFullScan
                  • +
                • Defender/DisableCatchupQuickScan
                  • +
                • Defender/EnableLowCPUPriority
                  • +
                • Defender/SignatureUpdateFallbackOrder
                  • +
                • Defender/SignatureUpdateFileSharesSources
                  • +
                • DeviceGuard/EnableSystemGuard
                  • +
                • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
                  • +
                • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
                  • +
                • DeviceInstallation/PreventDeviceMetadataFromNetwork
                  • +
                • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
                  • +
                • DmaGuard/DeviceEnumerationPolicy
                  • +
                • Experience/AllowClipboardHistory
                  • +
                • Security/RecoveryEnvironmentAuthentication
                  • +
                • TaskManager/AllowEndTask
                  • +
                • WindowsDefenderSecurityCenter/DisableClearTpmButton
                  • +
                • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
                  • +
                • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
                  • +
                • WindowsLogon/DontDisplayNetworkSelectionUI
                  • +
                +

                Recent changes:

                +
                  +
                • DataUsage/SetCost3G - deprecated in Windows 10, next major version.
                  • +
                +
                + +### June 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
                New or updated topicDescription
                [Wifi CSP](wifi-csp.md)

                Added a new node WifiCost in Windows 10, next major version.

                +
                [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)

                Recent changes:

                +
                  +
                • Added procedure for collecting logs remotely from Windows 10 Holographic.
                  • +
                • Added procedure for downloading the MDM Diagnostic Information log.
                  • +
                +
                [Bitlocker CSP](bitlocker-csp.md)

                Added new node AllowStandardUserEncryption in Windows 10, next major version.

                +
                [Policy CSP](policy-configuration-service-provider.md)

                Recent changes:

                +
                  +
                • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration - removed from docs. Not supported.
                  • +
                • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
                  • +
                • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.
                  • +
                • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.
                  • +
                • System/AllowFontProviders is not supported in Windows Holographic for Business.
                  • +
                • Security/RequireDeviceEncryption is suported in the Home SKU.
                  • +
                • Start/StartLayout - added a table of SKU support information.
                  • +
                • Start/ImportEdgeAssets - added a table of SKU support information.
                  • +
                +

                Added the following new policies in Windows 10, next major version:

                +
                  +
                • Update/EngagedRestartDeadlineForFeatureUpdates
                  • +
                • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
                  • +
                • Update/EngagedRestartTransitionScheduleForFeatureUpdates
                  • +
                • Update/SetDisablePauseUXAccess
                  • +
                • Update/SetDisableUXWUAccess
                  • +
                +
                [WiredNetwork CSP](wirednetwork-csp.md)New CSP added in Windows 10, next major version. +
                + + +### May 2018 + + ++++ + + + + + + + + + + + +
                New or updated topicDescription
                [Policy DDF file](policy-ddf-file.md)

                Updated the DDF files in the Windows 10 version 1703 and 1709.

                +
                  +
                • [Download the Policy DDF file for Windows 10, version 1709](http://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
                  • +
                • [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
                  • +
                +
                + ### April 2018 @@ -1664,6 +2002,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware + + + @@ -1792,7 +2134,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
              • Display/EnablePerProcessDpi
              • Display/EnablePerProcessDpiForApps
              • Experience/AllowWindowsSpotlightOnSettings
                • -
              • TextInput/AllowHardwareKeyboardTextSuggestions
              • TextInput/ForceTouchKeyboardDockedState
              • TextInput/TouchKeyboardDictationButtonAvailability
              • TextInput/TouchKeyboardEmojiButtonAvailability
                • @@ -1849,13 +2190,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware @@ -2180,7 +2517,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware @@ -2276,7 +2613,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
              • Update/DisableDualScan
              • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
                • -

                Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.

                +

                Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

                Changed the names of the following policies:

                • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
                  • diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index d4883064aa..7c55d4f21c 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index 2a7b87e71c..3fd58485ce 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 5386096239..1a415c4fc3 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/25/2018 --- diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index caf080ce06..99b5afb5b6 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 2d1ff691c4..acfda5630f 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index 682cf89c7d..4649e684c3 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index ab3145df41..3dd02f716d 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -6,12 +6,15 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 06/26/2017 +author: MariciaAlforque +ms.date: 07/26/2018 --- # PassportForWork CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. > [!IMPORTANT] @@ -30,204 +33,243 @@ The following diagram shows the PassportForWork configuration service provider i ![passportforwork diagram](images/provisioning-csp-passportforwork2.png) **PassportForWork** -

                  Root node for PassportForWork configuration service provider. +Root node for PassportForWork configuration service provider. ***TenantId*** -

                  A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. +A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. ***TenantId*/Policies** -

                  Node for defining the Windows Hello for Business policy settings. +Node for defining the Windows Hello for Business policy settings. ***TenantId*/Policies/UsePassportForWork** -

                  Boolean value that sets Windows Hello for Business as a method for signing into Windows. +Boolean value that sets Windows Hello for Business as a method for signing into Windows. -

                  Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required. +Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/RequireSecurityDevice** -

                  Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices. +Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices. -

                  Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable. +Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT) -

                  Added in Windows 10, version 1703. Root node for excluded security devices. -

                  *Not supported on Windows Holographic and Windows Holographic for Business.* +Added in Windows 10, version 1703. Root node for excluded security devices. +*Not supported on Windows Holographic and Windows Holographic for Business.* ***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT) -

                  Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). +Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). -

                  Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. +Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. -

                  If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. +If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/EnablePinRecovery** -

                  Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service. +Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret, which is stored locally on the client, and can be decrypted only by the cloud service. -

                  Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed. +Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed. -

                  If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. +If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT) -

                  Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premise resources. +Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources. -

                  If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. +If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. -

                  If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. +If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity** -

                  Node for defining PIN settings. +Node for defining PIN settings. ***TenantId*/Policies/PINComplexity/MinimumPINLength** -

                  Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. +Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. -

                  If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4. +If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4. > [!NOTE] > If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.   -

                  Value type is int. Supported operations are Add, Get, Delete, and Replace. +Value type is int. Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/MaximumPINLength** -

                  Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. +Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. -

                  If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127. +If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127. > [!NOTE] > If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.   -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/UppercaseLetters** -

                  Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. +Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. -

                  Valid values: +Valid values: - 0 - Allows the use of uppercase letters in PIN. - 1 - Requires the use of at least one uppercase letters in PIN. - 2 - Does not allow the use of uppercase letters in PIN. -

                  Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/LowercaseLetters** -

                  Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. +Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. -

                  Valid values: +Valid values: - 0 - Allows the use of lowercase letters in PIN. - 1 - Requires the use of at least one lowercase letters in PIN. - 2 - Does not allow the use of lowercase letters in PIN. -

                  Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/SpecialCharacters** -

                  Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ . +Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ . -

                  Valid values: +Valid values: - 0 - Allows the use of special characters in PIN. - 1 - Requires the use of at least one special character in PIN. - 2 - Does not allow the use of special characters in PIN. -

                  Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/Digits** -

                  Integer value that configures the use of digits in the Windows Hello for Business PIN. +Integer value that configures the use of digits in the Windows Hello for Business PIN. -

                  Valid values: +Valid values: - 0 - Allows the use of digits in PIN. - 1 - Requires the use of at least one digit in PIN. - 2 - Does not allow the use of digits in PIN. -

                  Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/History** -

                  Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511. +Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511. -

                  The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset. +The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset. -

                  Default value is 0. +Default value is 0. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/Expiration** -

                  Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511. +Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511. -

                  Default is 0. +Default is 0. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT) -

                  Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511. -

                  *Not supported on Windows Holographic and Windows Holographic for Business.* +Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511. +*Not supported on Windows Holographic and Windows Holographic for Business.* ***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT) -

                  Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511. +Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511. -

                  Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled. +Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled. +Supported operations are Add, Get, Delete, and Replace. +*Not supported on Windows Holographic and Windows Holographic for Business.* -

                  Supported operations are Add, Get, Delete, and Replace. +***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT) +Added in Windows 10, next major version. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. -

                  *Not supported on Windows Holographic and Windows Holographic for Business.* +If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. + +Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in. + +Value type is bool. Supported operations are Add, Get, Replace, and Delete. **UseBiometrics** -

                  This node is deprecated. Use **Biometrics/UseBiometrics** node instead. +This node is deprecated. Use **Biometrics/UseBiometrics** node instead. **Biometrics** (only for ./Device/Vendor/MSFT) -

                  Node for defining biometric settings. This node was added in Windows 10, version 1511. -

                  *Not supported on Windows Holographic and Windows Holographic for Business.* +Node for defining biometric settings. This node was added in Windows 10, version 1511. +*Not supported on Windows Holographic and Windows Holographic for Business.* **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) -

                  Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. +Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. -

                  Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. +Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -

                  *Not supported on Windows Holographic and Windows Holographic for Business.* +*Not supported on Windows Holographic and Windows Holographic for Business.* **Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT) -

                  Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511. +Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511. -

                  Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. +Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. -

                  If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing. +If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing. -

                  Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. +Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. -

                  Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -

                  *Not supported on Windows Holographic and Windows Holographic for Business.* +*Not supported on Windows Holographic and Windows Holographic for Business.* + +**DeviceUnlock** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Interior node. + +**DeviceUnlock/GroupA** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the first step of authentication. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**DeviceUnlock/GroupB** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the second step of authentication. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**DeviceUnlock/Plugins** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user presence. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**DynamicLock** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Interior node. + + +**DynamicLock/DynamicLock** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. Enables the dynamic lock. + +Value type is bool. Supported operations are Add, Get, Replace, and Delete. + +**DynamicLock/Plugins** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user absence. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. ## Examples -

                  Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM. +Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM. ``` syntax diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index f0d64040aa..06eabcf651 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -6,17 +6,20 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 12/05/2017 +author: MariciaAlforque +ms.date: 07/26/2017 --- # PassportForWork DDF +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **PassportForWork** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -42,7 +45,7 @@ The XML below is the current version for this CSP. - com.microsoft/1.3/MDM/PassportForWork + com.microsoft/1.5/MDM/PassportForWork @@ -565,58 +568,58 @@ If you disable or do not configure this policy setting, the TPM is still preferr - ExcludeSecurityDevices + ExcludeSecurityDevices + + + + + + + Root node for excluded security devices. + + + + + + + + + + ExcludeSecurityDevices + + + + + + TPM12 - - - - - - Root node for excluded security devices. - - - - - - - - - - ExcludeSecurityDevices - - - - - - TPM12 - - - - - - - - False - Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). + + + + + + + False + Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. - - - - - - - - - - - text/plain - - - - + + + + + + + + + + + text/plain + + + + EnablePinRecovery @@ -985,6 +988,35 @@ Default value is false. If you enable this setting, a desktop device will allow + + UseHelloCertificatesAsSmartCardCertificates + + + + + + + + False + If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. + +If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. + +Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in. + + + + + + + + + + + text/plain + + + @@ -1083,9 +1115,9 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device False This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication. -If you enable or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing. +If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing. -If you disable this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. +If you disable or do not configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. @@ -1100,19 +1132,176 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re text/plain + + + + + + + + + DeviceUnlock + + + + + Device Unlock + + + + + + + + + + + + + + + GroupA + + + + + + + + Contains a list of providers by GUID that are to be considered for the first step of authentication + + + + + + + + + + + text/plain + + + + + GroupB + + + + + + + + Contains a list of providers by GUID that are to be considered for the second step of authentication + + + + + + + + + + + text/plain + + + + + Plugins + + + + + + + + List of plugins that the passive provider monitors to detect user presence + + + + + + + + + + + text/plain + + + + + + DynamicLock + + + + + Dynamic Lock + + + + + + + + + + + + + + + DynamicLock + + + + + + + + False + Enables/Disables Dyanamic Lock + + + + + + + + + + + text/plain + + + + + Plugins + + + + + + + + List of plugins that the passive provider monitors to detect user absence + + + + + + + + + + + text/plain + -``` - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 8911582570..dd19365596 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index ce6baf1be0..ccdfdff645 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 71f83755e0..5ec75dcc02 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,4819 +1,5090 @@ ---- -title: Policy CSP -description: Policy CSP -ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 ---- - -# Policy CSP - - -The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. - -The Policy configuration service provider has the following sub-categories: - -- Policy/Config/*AreaName* – Handles the policy configuration request from the server. -- Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device. - - - -> [!Important] -> Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user. -> -> The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths: -> -> User scope: -> - **./User/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. -> - **./User/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. -> -> Device scope: -> - **./Device/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. -> - **./Device/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. -> -> For device wide configuration the **_Device/_** portion may be omitted from the path, deeming the following paths respectively equivalent: -> -> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. -> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. - -The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. - -![policy csp diagram](images/provisioning-csp-policy.png) - - -**./Vendor/MSFT/Policy** -

                  The root node for the Policy configuration service provider. - -

                  Supported operation is Get. - -**Policy/Config** -

                  Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. - -

                  Supported operation is Get. - -**Policy/Config/****_AreaName_** -

                  The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. - -

                  Supported operations are Add, Get, and Delete. - -**Policy/Config/****_AreaName/PolicyName_** -

                  Specifies the name/value pair used in the policy. - -

                  The following list shows some tips to help you when configuring policies: - -- Separate substring values by the Unicode &\#xF000; in the XML file. - -> [!NOTE] -> A query from a different caller could provide a different value as each caller could have different values for a named policy. - -- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. -- Supported operations are Add, Get, Delete, and Replace. -- Value type is string. - -**Policy/Result** -

                  Groups the evaluated policies from all providers that can be configured. - -

                  Supported operation is Get. - -**Policy/Result/****_AreaName_** -

                  The area group that can be configured by a single technology independent of the providers. - -

                  Supported operation is Get. - -**Policy/Result/****_AreaName/PolicyName_** -

                  Specifies the name/value pair used in the policy. - -

                  Supported operation is Get. - -**Policy/ConfigOperations** -

                  Added in Windows 10, version 1703. The root node for grouping different configuration operations. - -

                  Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall** -

                  Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md). - -> [!NOTE] -> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx). - -

                  ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}`. - -

                  Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_** -

                  Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. - -

                  Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy** -

                  Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. - -

                  Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy/_UniqueID_** -

                  Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. - -

                  Supported operations are Add and Get. Does not support Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference** -

                  Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. - -

                  Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference/_UniqueID_** -

                  Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. - -

                  Supported operations are Add and Get. Does not support Delete. - -> [!Note] -> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults policies are not supported in Windows 10 S. - -## Policies - -### AboveLock policies - -

                  -
                  - AboveLock/AllowActionCenterNotifications -
                  -
                  - AboveLock/AllowCortanaAboveLock -
                  -
                  - AboveLock/AllowToasts -
                  -
                  - -### AccountPoliciesAccountLockoutPolicy policies - -
                  -
                  - AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration -
                  -
                  - AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold -
                  -
                  - AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter -
                  -
                  - -### Accounts policies - -
                  -
                  - Accounts/AllowAddingNonMicrosoftAccountsManually -
                  -
                  - Accounts/AllowMicrosoftAccountConnection -
                  -
                  - Accounts/AllowMicrosoftAccountSignInAssistant -
                  -
                  - Accounts/DomainNamesForEmailSync -
                  -
                  - -### ActiveXControls policies - -
                  -
                  - ActiveXControls/ApprovedInstallationSites -
                  -
                  - -### ApplicationDefaults policies - -
                  -
                  - ApplicationDefaults/DefaultAssociationsConfiguration -
                  -
                  - ApplicationDefaults/EnableAppUriHandlers -
                  -
                  - -### ApplicationManagement policies - -
                  -
                  - ApplicationManagement/AllowAllTrustedApps -
                  -
                  - ApplicationManagement/AllowAppStoreAutoUpdate -
                  -
                  - ApplicationManagement/AllowDeveloperUnlock -
                  -
                  - ApplicationManagement/AllowGameDVR -
                  -
                  - ApplicationManagement/AllowSharedUserAppData -
                  -
                  - ApplicationManagement/AllowStore -
                  -
                  - ApplicationManagement/ApplicationRestrictions -
                  -
                  - ApplicationManagement/DisableStoreOriginatedApps -
                  -
                  - ApplicationManagement/MSIAllowUserControlOverInstall -
                  -
                  - ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges -
                  -
                  - ApplicationManagement/RequirePrivateStoreOnly -
                  -
                  - ApplicationManagement/RestrictAppDataToSystemVolume -
                  -
                  - ApplicationManagement/RestrictAppToSystemVolume -
                  -
                  - -### AppRuntime policies - -
                  -
                  - AppRuntime/AllowMicrosoftAccountsToBeOptional -
                  -
                  - -### AppVirtualization policies - -
                  -
                  - AppVirtualization/AllowAppVClient -
                  -
                  - AppVirtualization/AllowDynamicVirtualization -
                  -
                  - AppVirtualization/AllowPackageCleanup -
                  -
                  - AppVirtualization/AllowPackageScripts -
                  -
                  - AppVirtualization/AllowPublishingRefreshUX -
                  -
                  - AppVirtualization/AllowReportingServer -
                  -
                  - AppVirtualization/AllowRoamingFileExclusions -
                  -
                  - AppVirtualization/AllowRoamingRegistryExclusions -
                  -
                  - AppVirtualization/AllowStreamingAutoload -
                  -
                  - AppVirtualization/ClientCoexistenceAllowMigrationmode -
                  -
                  - AppVirtualization/IntegrationAllowRootGlobal -
                  -
                  - AppVirtualization/IntegrationAllowRootUser -
                  -
                  - AppVirtualization/PublishingAllowServer1 -
                  -
                  - AppVirtualization/PublishingAllowServer2 -
                  -
                  - AppVirtualization/PublishingAllowServer3 -
                  -
                  - AppVirtualization/PublishingAllowServer4 -
                  -
                  - AppVirtualization/PublishingAllowServer5 -
                  -
                  - AppVirtualization/StreamingAllowCertificateFilterForClient_SSL -
                  -
                  - AppVirtualization/StreamingAllowHighCostLaunch -
                  -
                  - AppVirtualization/StreamingAllowLocationProvider -
                  -
                  - AppVirtualization/StreamingAllowPackageInstallationRoot -
                  -
                  - AppVirtualization/StreamingAllowPackageSourceRoot -
                  -
                  - AppVirtualization/StreamingAllowReestablishmentInterval -
                  -
                  - AppVirtualization/StreamingAllowReestablishmentRetries -
                  -
                  - AppVirtualization/StreamingSharedContentStoreMode -
                  -
                  - AppVirtualization/StreamingSupportBranchCache -
                  -
                  - AppVirtualization/StreamingVerifyCertificateRevocationList -
                  -
                  - AppVirtualization/VirtualComponentsAllowList -
                  -
                  - -### AttachmentManager policies - -
                  -
                  - AttachmentManager/DoNotPreserveZoneInformation -
                  -
                  - AttachmentManager/HideZoneInfoMechanism -
                  -
                  - AttachmentManager/NotifyAntivirusPrograms -
                  -
                  - -### Authentication policies - -
                  -
                  - Authentication/AllowAadPasswordReset -
                  -
                  - Authentication/AllowEAPCertSSO -
                  -
                  - Authentication/AllowFastReconnect -
                  -
                  - Authentication/AllowFidoDeviceSignon -
                  -
                  - Authentication/AllowSecondaryAuthenticationDevice -
                  -
                  - -### Autoplay policies - -
                  -
                  - Autoplay/DisallowAutoplayForNonVolumeDevices -
                  -
                  - Autoplay/SetDefaultAutoRunBehavior -
                  -
                  - Autoplay/TurnOffAutoPlay -
                  -
                  - -### Bitlocker policies - -
                  -
                  - Bitlocker/EncryptionMethod -
                  -
                  - -### Bluetooth policies - -
                  -
                  - Bluetooth/AllowAdvertising -
                  -
                  - Bluetooth/AllowDiscoverableMode -
                  -
                  - Bluetooth/AllowPrepairing -
                  -
                  - Bluetooth/AllowPromptedProximalConnections -
                  -
                  - Bluetooth/LocalDeviceName -
                  -
                  - Bluetooth/ServicesAllowedList -
                  -
                  - -### Browser policies - -
                  -
                  - Browser/AllowAddressBarDropdown -
                  -
                  - Browser/AllowAutofill -
                  -
                  - Browser/AllowBrowser -
                  -
                  - Browser/AllowConfigurationUpdateForBooksLibrary -
                  -
                  - Browser/AllowCookies -
                  -
                  - Browser/AllowDeveloperTools -
                  -
                  - Browser/AllowDoNotTrack -
                  -
                  - Browser/AllowExtensions -
                  -
                  - Browser/AllowFlash -
                  -
                  - Browser/AllowFlashClickToRun -
                  -
                  - Browser/AllowInPrivate -
                  -
                  - Browser/AllowMicrosoftCompatibilityList -
                  -
                  - Browser/AllowPasswordManager -
                  -
                  - Browser/AllowPopups -
                  -
                  - Browser/AllowSearchEngineCustomization -
                  -
                  - Browser/AllowSearchSuggestionsinAddressBar -
                  -
                  - Browser/AllowSmartScreen -
                  -
                  - Browser/AlwaysEnableBooksLibrary -
                  -
                  - Browser/ClearBrowsingDataOnExit -
                  -
                  - Browser/ConfigureAdditionalSearchEngines -
                  -
                  - Browser/DisableLockdownOfStartPages -
                  -
                  - Browser/EnableExtendedBooksTelemetry -
                  -
                  - Browser/EnterpriseModeSiteList -
                  -
                  - Browser/EnterpriseSiteListServiceUrl -
                  -
                  - Browser/FirstRunURL -
                  -
                  - Browser/HomePages -
                  -
                  - Browser/LockdownFavorites -
                  -
                  - Browser/PreventAccessToAboutFlagsInMicrosoftEdge -
                  -
                  - Browser/PreventFirstRunPage -
                  -
                  - Browser/PreventLiveTileDataCollection -
                  -
                  - Browser/PreventSmartScreenPromptOverride -
                  -
                  - Browser/PreventSmartScreenPromptOverrideForFiles -
                  -
                  - Browser/PreventTabPreloading -
                  -
                  - Browser/PreventUsingLocalHostIPAddressForWebRTC -
                  -
                  - Browser/ProvisionFavorites -
                  -
                  - Browser/SendIntranetTraffictoInternetExplorer -
                  -
                  - Browser/SetDefaultSearchEngine -
                  -
                  - Browser/ShowMessageWhenOpeningSitesInInternetExplorer -
                  -
                  - Browser/SyncFavoritesBetweenIEAndMicrosoftEdge -
                  -
                  - Browser/UseSharedFolderForBooks -
                  -
                  - -### Camera policies - -
                  -
                  - Camera/AllowCamera -
                  -
                  - -### Cellular policies - -
                  -
                  - Cellular/LetAppsAccessCellularData -
                  -
                  - Cellular/LetAppsAccessCellularData_ForceAllowTheseApps -
                  -
                  - Cellular/LetAppsAccessCellularData_ForceDenyTheseApps -
                  -
                  - Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps -
                  -
                  - Cellular/ShowAppCellularAccessUI -
                  -
                  - -### Connectivity policies - -
                  -
                  - Connectivity/AllowBluetooth -
                  -
                  - Connectivity/AllowCellularData -
                  -
                  - Connectivity/AllowCellularDataRoaming -
                  -
                  - Connectivity/AllowConnectedDevices -
                  -
                  - Connectivity/AllowNFC -
                  -
                  - Connectivity/AllowPhonePCLinking -
                  -
                  - Connectivity/AllowUSBConnection -
                  -
                  - Connectivity/AllowVPNOverCellular -
                  -
                  - Connectivity/AllowVPNRoamingOverCellular -
                  -
                  - Connectivity/DiablePrintingOverHTTP -
                  -
                  - Connectivity/DisableDownloadingOfPrintDriversOverHTTP -
                  -
                  - Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards -
                  -
                  - Connectivity/DisallowNetworkConnectivityActiveTests -
                  -
                  - Connectivity/HardenedUNCPaths -
                  -
                  - Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge -
                  -
                  - -### ControlPolicyConflict policies - -
                  -
                  - ControlPolicyConflict/MDMWinsOverGP -
                  -
                  - -### CredentialProviders policies - -
                  -
                  - CredentialProviders/AllowPINLogon -
                  -
                  - CredentialProviders/BlockPicturePassword -
                  -
                  - CredentialProviders/DisableAutomaticReDeploymentCredentials -
                  -
                  - -### CredentialsDelegation policies - -
                  -
                  - CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials -
                  -
                  - -### CredentialsUI policies - -
                  -
                  - CredentialsUI/DisablePasswordReveal -
                  -
                  - CredentialsUI/EnumerateAdministrators -
                  -
                  - -### Cryptography policies - -
                  -
                  - Cryptography/AllowFipsAlgorithmPolicy -
                  -
                  - Cryptography/TLSCipherSuites -
                  -
                  - -### DataProtection policies - -
                  -
                  - DataProtection/AllowDirectMemoryAccess -
                  -
                  - DataProtection/LegacySelectiveWipeID -
                  -
                  - -### DataUsage policies - -
                  -
                  - DataUsage/SetCost3G -
                  -
                  - DataUsage/SetCost4G -
                  -
                  - -### Defender policies - -
                  -
                  - Defender/AllowArchiveScanning -
                  -
                  - Defender/AllowBehaviorMonitoring -
                  -
                  - Defender/AllowCloudProtection -
                  -
                  - Defender/AllowEmailScanning -
                  -
                  - Defender/AllowFullScanOnMappedNetworkDrives -
                  -
                  - Defender/AllowFullScanRemovableDriveScanning -
                  -
                  - Defender/AllowIOAVProtection -
                  -
                  - Defender/AllowIntrusionPreventionSystem -
                  -
                  - Defender/AllowOnAccessProtection -
                  -
                  - Defender/AllowRealtimeMonitoring -
                  -
                  - Defender/AllowScanningNetworkFiles -
                  -
                  - Defender/AllowScriptScanning -
                  -
                  - Defender/AllowUserUIAccess -
                  -
                  - Defender/AttackSurfaceReductionOnlyExclusions -
                  -
                  - Defender/AttackSurfaceReductionRules -
                  -
                  - Defender/AvgCPULoadFactor -
                  -
                  - Defender/CloudBlockLevel -
                  -
                  - Defender/CloudExtendedTimeout -
                  -
                  - Defender/ControlledFolderAccessAllowedApplications -
                  -
                  - Defender/ControlledFolderAccessProtectedFolders -
                  -
                  - Defender/DaysToRetainCleanedMalware -
                  -
                  - Defender/EnableControlledFolderAccess -
                  -
                  - Defender/EnableNetworkProtection -
                  -
                  - Defender/ExcludedExtensions -
                  -
                  - Defender/ExcludedPaths -
                  -
                  - Defender/ExcludedProcesses -
                  -
                  - Defender/PUAProtection -
                  -
                  - Defender/RealTimeScanDirection -
                  -
                  - Defender/ScanParameter -
                  -
                  - Defender/ScheduleQuickScanTime -
                  -
                  - Defender/ScheduleScanDay -
                  -
                  - Defender/ScheduleScanTime -
                  -
                  - Defender/SignatureUpdateInterval -
                  -
                  - Defender/SubmitSamplesConsent -
                  -
                  - Defender/ThreatSeverityDefaultAction -
                  -
                  - -### DeliveryOptimization policies - -
                  -
                  - DeliveryOptimization/DOAbsoluteMaxCacheSize -
                  -
                  - DeliveryOptimization/DOAllowVPNPeerCaching -
                  -
                  - DeliveryOptimization/DODelayBackgroundDownloadFromHttp -
                  -
                  - DeliveryOptimization/DODelayForegroundDownloadFromHttp -
                  -
                  - DeliveryOptimization/DODownloadMode -
                  -
                  - DeliveryOptimization/DOGroupId -
                  -
                  - DeliveryOptimization/DOGroupIdSource -
                  -
                  - DeliveryOptimization/DOMaxCacheAge -
                  -
                  - DeliveryOptimization/DOMaxCacheSize -
                  -
                  - DeliveryOptimization/DOMaxDownloadBandwidth -
                  -
                  - DeliveryOptimization/DOMaxUploadBandwidth -
                  -
                  - DeliveryOptimization/DOMinBackgroundQos -
                  -
                  - DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload -
                  -
                  - DeliveryOptimization/DOMinDiskSizeAllowedToPeer -
                  -
                  - DeliveryOptimization/DOMinFileSizeToCache -
                  -
                  - DeliveryOptimization/DOMinRAMAllowedToPeer -
                  -
                  - DeliveryOptimization/DOModifyCacheDrive -
                  -
                  - DeliveryOptimization/DOMonthlyUploadDataCap -
                  -
                  - DeliveryOptimization/DOPercentageMaxBackgroundBandwidth -
                  -
                  - DeliveryOptimization/DOPercentageMaxDownloadBandwidth -
                  -
                  - DeliveryOptimization/DOPercentageMaxForegroundBandwidth -
                  -
                  - DeliveryOptimization/DORestrictPeerSelectionBy -
                  -
                  - DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth -
                  -
                  - DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth -
                  -
                  - -### Desktop policies - -
                  -
                  - Desktop/PreventUserRedirectionOfProfileFolders -
                  -
                  - -### DeviceGuard policies - -
                  -
                  - DeviceGuard/EnableVirtualizationBasedSecurity -
                  -
                  - DeviceGuard/LsaCfgFlags -
                  -
                  - DeviceGuard/RequirePlatformSecurityFeatures -
                  -
                  - -### DeviceInstallation policies - -
                  -
                  - DeviceInstallation/PreventInstallationOfMatchingDeviceIDs -
                  -
                  - DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses -
                  -
                  - -### DeviceLock policies - -
                  -
                  - DeviceLock/AllowIdleReturnWithoutPassword -
                  -
                  - DeviceLock/AllowScreenTimeoutWhileLockedUserConfig -
                  -
                  - DeviceLock/AllowSimpleDevicePassword -
                  -
                  - DeviceLock/AlphanumericDevicePasswordRequired -
                  -
                  - DeviceLock/DevicePasswordEnabled -
                  -
                  - DeviceLock/DevicePasswordExpiration -
                  -
                  - DeviceLock/DevicePasswordHistory -
                  -
                  - DeviceLock/EnforceLockScreenAndLogonImage -
                  -
                  - DeviceLock/EnforceLockScreenProvider -
                  -
                  - DeviceLock/MaxDevicePasswordFailedAttempts -
                  -
                  - DeviceLock/MaxInactivityTimeDeviceLock -
                  -
                  - DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay -
                  -
                  - DeviceLock/MinDevicePasswordComplexCharacters -
                  -
                  - DeviceLock/MinDevicePasswordLength -
                  -
                  - DeviceLock/MinimumPasswordAge -
                  -
                  - DeviceLock/PreventEnablingLockScreenCamera -
                  -
                  - DeviceLock/PreventLockScreenSlideShow -
                  -
                  - DeviceLock/ScreenTimeoutWhileLocked -
                  -
                  - -### Display policies - -
                  -
                  - Display/DisablePerProcessDpiForApps -
                  -
                  - Display/EnablePerProcessDpi -
                  -
                  - Display/EnablePerProcessDpiForApps -
                  -
                  - Display/TurnOffGdiDPIScalingForApps -
                  -
                  - Display/TurnOnGdiDPIScalingForApps -
                  -
                  - -### Education policies - -
                  -
                  - Education/DefaultPrinterName -
                  -
                  - Education/PreventAddingNewPrinters -
                  -
                  - Education/PrinterNames -
                  -
                  - -### EnterpriseCloudPrint policies - -
                  -
                  - EnterpriseCloudPrint/CloudPrintOAuthAuthority -
                  -
                  - EnterpriseCloudPrint/CloudPrintOAuthClientId -
                  -
                  - EnterpriseCloudPrint/CloudPrintResourceId -
                  -
                  - EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint -
                  -
                  - EnterpriseCloudPrint/DiscoveryMaxPrinterLimit -
                  -
                  - EnterpriseCloudPrint/MopriaDiscoveryResourceId -
                  -
                  - -### ErrorReporting policies - -
                  -
                  - ErrorReporting/CustomizeConsentSettings -
                  -
                  - ErrorReporting/DisableWindowsErrorReporting -
                  -
                  - ErrorReporting/DisplayErrorNotification -
                  -
                  - ErrorReporting/DoNotSendAdditionalData -
                  -
                  - ErrorReporting/PreventCriticalErrorDisplay -
                  -
                  - -### EventLogService policies - -
                  -
                  - EventLogService/ControlEventLogBehavior -
                  -
                  - EventLogService/SpecifyMaximumFileSizeApplicationLog -
                  -
                  - EventLogService/SpecifyMaximumFileSizeSecurityLog -
                  -
                  - EventLogService/SpecifyMaximumFileSizeSystemLog -
                  -
                  - -### Experience policies - -
                  -
                  - Experience/AllowCopyPaste -
                  -
                  - Experience/AllowCortana -
                  -
                  - Experience/AllowDeviceDiscovery -
                  -
                  - Experience/AllowFindMyDevice -
                  -
                  - Experience/AllowManualMDMUnenrollment -
                  -
                  - Experience/AllowSIMErrorDialogPromptWhenNoSIM -
                  -
                  - Experience/AllowSaveAsOfOfficeFiles -
                  -
                  - Experience/AllowScreenCapture -
                  -
                  - Experience/AllowSharingOfOfficeFiles -
                  -
                  - Experience/AllowSyncMySettings -
                  -
                  - Experience/AllowTailoredExperiencesWithDiagnosticData -
                  -
                  - Experience/AllowTaskSwitcher -
                  -
                  - Experience/AllowThirdPartySuggestionsInWindowsSpotlight -
                  -
                  - Experience/AllowVoiceRecording -
                  -
                  - Experience/AllowWindowsConsumerFeatures -
                  -
                  - Experience/AllowWindowsSpotlight -
                  -
                  - Experience/AllowWindowsSpotlightOnActionCenter -
                  -
                  - Experience/AllowWindowsSpotlightOnSettings -
                  -
                  - Experience/AllowWindowsSpotlightWindowsWelcomeExperience -
                  -
                  - Experience/AllowWindowsTips -
                  -
                  - Experience/ConfigureWindowsSpotlightOnLockScreen -
                  -
                  - Experience/DoNotShowFeedbackNotifications -
                  -
                  - -### ExploitGuard policies - -
                  -
                  - ExploitGuard/ExploitProtectionSettings -
                  -
                  - -### FileExplorer policies - -
                  -
                  - FileExplorer/TurnOffDataExecutionPreventionForExplorer -
                  -
                  - FileExplorer/TurnOffHeapTerminationOnCorruption -
                  -
                  - -### Games policies - -
                  -
                  - Games/AllowAdvancedGamingServices -
                  -
                  - -### Handwriting policies - -
                  -
                  - Handwriting/PanelDefaultModeDocked -
                  -
                  - -### InternetExplorer policies - -
                  -
                  - InternetExplorer/AddSearchProvider -
                  -
                  - InternetExplorer/AllowActiveXFiltering -
                  -
                  - InternetExplorer/AllowAddOnList -
                  -
                  - InternetExplorer/AllowAutoComplete -
                  -
                  - InternetExplorer/AllowCertificateAddressMismatchWarning -
                  -
                  - InternetExplorer/AllowDeletingBrowsingHistoryOnExit -
                  -
                  - InternetExplorer/AllowEnhancedProtectedMode -
                  -
                  - InternetExplorer/AllowEnterpriseModeFromToolsMenu -
                  -
                  - InternetExplorer/AllowEnterpriseModeSiteList -
                  -
                  - InternetExplorer/AllowFallbackToSSL3 -
                  -
                  - InternetExplorer/AllowInternetExplorer7PolicyList -
                  -
                  - InternetExplorer/AllowInternetExplorerStandardsMode -
                  -
                  - InternetExplorer/AllowInternetZoneTemplate -
                  -
                  - InternetExplorer/AllowIntranetZoneTemplate -
                  -
                  - InternetExplorer/AllowLocalMachineZoneTemplate -
                  -
                  - InternetExplorer/AllowLockedDownInternetZoneTemplate -
                  -
                  - InternetExplorer/AllowLockedDownIntranetZoneTemplate -
                  -
                  - InternetExplorer/AllowLockedDownLocalMachineZoneTemplate -
                  -
                  - InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate -
                  -
                  - InternetExplorer/AllowOneWordEntry -
                  -
                  - InternetExplorer/AllowSiteToZoneAssignmentList -
                  -
                  - InternetExplorer/AllowSoftwareWhenSignatureIsInvalid -
                  -
                  - InternetExplorer/AllowSuggestedSites -
                  -
                  - InternetExplorer/AllowTrustedSitesZoneTemplate -
                  -
                  - InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate -
                  -
                  - InternetExplorer/AllowsRestrictedSitesZoneTemplate -
                  -
                  - InternetExplorer/CheckServerCertificateRevocation -
                  -
                  - InternetExplorer/CheckSignaturesOnDownloadedPrograms -
                  -
                  - InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses -
                  -
                  - InternetExplorer/DisableAdobeFlash -
                  -
                  - InternetExplorer/DisableBypassOfSmartScreenWarnings -
                  -
                  - InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles -
                  -
                  - InternetExplorer/DisableConfiguringHistory -
                  -
                  - InternetExplorer/DisableCrashDetection -
                  -
                  - InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation -
                  -
                  - InternetExplorer/DisableDeletingUserVisitedWebsites -
                  -
                  - InternetExplorer/DisableEnclosureDownloading -
                  -
                  - InternetExplorer/DisableEncryptionSupport -
                  -
                  - InternetExplorer/DisableFirstRunWizard -
                  -
                  - InternetExplorer/DisableFlipAheadFeature -
                  -
                  - InternetExplorer/DisableHomePageChange -
                  -
                  - InternetExplorer/DisableIgnoringCertificateErrors -
                  -
                  - InternetExplorer/DisableInPrivateBrowsing -
                  -
                  - InternetExplorer/DisableProcessesInEnhancedProtectedMode -
                  -
                  - InternetExplorer/DisableProxyChange -
                  -
                  - InternetExplorer/DisableSearchProviderChange -
                  -
                  - InternetExplorer/DisableSecondaryHomePageChange -
                  -
                  - InternetExplorer/DisableSecuritySettingsCheck -
                  -
                  - InternetExplorer/DisableUpdateCheck -
                  -
                  - InternetExplorer/DoNotAllowActiveXControlsInProtectedMode -
                  -
                  - InternetExplorer/DoNotAllowUsersToAddSites -
                  -
                  - InternetExplorer/DoNotAllowUsersToChangePolicies -
                  -
                  - InternetExplorer/DoNotBlockOutdatedActiveXControls -
                  -
                  - InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains -
                  -
                  - InternetExplorer/IncludeAllLocalSites -
                  -
                  - InternetExplorer/IncludeAllNetworkPaths -
                  -
                  - InternetExplorer/InternetZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/InternetZoneAllowCopyPasteViaScript -
                  -
                  - InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles -
                  -
                  - InternetExplorer/InternetZoneAllowFontDownloads -
                  -
                  - InternetExplorer/InternetZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles -
                  -
                  - InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls -
                  -
                  - InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
                  -
                  - InternetExplorer/InternetZoneAllowScriptInitiatedWindows -
                  -
                  - InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls -
                  -
                  - InternetExplorer/InternetZoneAllowScriptlets -
                  -
                  - InternetExplorer/InternetZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript -
                  -
                  - InternetExplorer/InternetZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer -
                  -
                  - InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls -
                  -
                  - InternetExplorer/InternetZoneDownloadSignedActiveXControls -
                  -
                  - InternetExplorer/InternetZoneDownloadUnsignedActiveXControls -
                  -
                  - InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter -
                  -
                  - InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
                  -
                  - InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
                  -
                  - InternetExplorer/InternetZoneEnableMIMESniffing -
                  -
                  - InternetExplorer/InternetZoneEnableProtectedMode -
                  -
                  - InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer -
                  -
                  - InternetExplorer/InternetZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe -
                  -
                  - InternetExplorer/InternetZoneJavaPermissions -
                  -
                  - InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME -
                  -
                  - InternetExplorer/InternetZoneLogonOptions -
                  -
                  - InternetExplorer/InternetZoneNavigateWindowsAndFrames -
                  -
                  - InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
                  -
                  - InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles -
                  -
                  - InternetExplorer/InternetZoneUsePopupBlocker -
                  -
                  - InternetExplorer/IntranetZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/IntranetZoneAllowFontDownloads -
                  -
                  - InternetExplorer/IntranetZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/IntranetZoneAllowScriptlets -
                  -
                  - InternetExplorer/IntranetZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/IntranetZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls -
                  -
                  - InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/IntranetZoneJavaPermissions -
                  -
                  - InternetExplorer/IntranetZoneNavigateWindowsAndFrames -
                  -
                  - InternetExplorer/LocalMachineZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/LocalMachineZoneAllowFontDownloads -
                  -
                  - InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/LocalMachineZoneAllowScriptlets -
                  -
                  - InternetExplorer/LocalMachineZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/LocalMachineZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls -
                  -
                  - InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/LocalMachineZoneJavaPermissions -
                  -
                  - InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames -
                  -
                  - InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/LockedDownInternetZoneAllowFontDownloads -
                  -
                  - InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/LockedDownInternetZoneAllowScriptlets -
                  -
                  - InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/LockedDownInternetZoneJavaPermissions -
                  -
                  - InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames -
                  -
                  - InternetExplorer/LockedDownIntranetJavaPermissions -
                  -
                  - InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/LockedDownIntranetZoneAllowFontDownloads -
                  -
                  - InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/LockedDownIntranetZoneAllowScriptlets -
                  -
                  - InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneJavaPermissions -
                  -
                  - InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions -
                  -
                  - InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions -
                  -
                  - InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames -
                  -
                  - InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses -
                  -
                  - InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses -
                  -
                  - InternetExplorer/NotificationBarInternetExplorerProcesses -
                  -
                  - InternetExplorer/PreventManagingSmartScreenFilter -
                  -
                  - InternetExplorer/PreventPerUserInstallationOfActiveXControls -
                  -
                  - InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses -
                  -
                  - InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls -
                  -
                  - InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses -
                  -
                  - InternetExplorer/RestrictFileDownloadInternetExplorerProcesses -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowActiveScripting -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowFileDownloads -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowFontDownloads -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowScriptlets -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer -
                  -
                  - InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
                  -
                  - InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls -
                  -
                  - InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls -
                  -
                  - InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter -
                  -
                  - InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
                  -
                  - InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
                  -
                  - InternetExplorer/RestrictedSitesZoneEnableMIMESniffing -
                  -
                  - InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer -
                  -
                  - InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/RestrictedSitesZoneJavaPermissions -
                  -
                  - InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME -
                  -
                  - InternetExplorer/RestrictedSitesZoneLogonOptions -
                  -
                  - InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames -
                  -
                  - InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins -
                  -
                  - InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
                  -
                  - InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting -
                  -
                  - InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets -
                  -
                  - InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles -
                  -
                  - InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode -
                  -
                  - InternetExplorer/RestrictedSitesZoneUsePopupBlocker -
                  -
                  - InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses -
                  -
                  - InternetExplorer/SearchProviderList -
                  -
                  - InternetExplorer/SecurityZonesUseOnlyMachineSettings -
                  -
                  - InternetExplorer/SpecifyUseOfActiveXInstallerService -
                  -
                  - InternetExplorer/TrustedSitesZoneAllowAccessToDataSources -
                  -
                  - InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
                  -
                  - InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
                  -
                  - InternetExplorer/TrustedSitesZoneAllowFontDownloads -
                  -
                  - InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites -
                  -
                  - InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents -
                  -
                  - InternetExplorer/TrustedSitesZoneAllowScriptlets -
                  -
                  - InternetExplorer/TrustedSitesZoneAllowSmartScreenIE -
                  -
                  - InternetExplorer/TrustedSitesZoneAllowUserDataPersistence -
                  -
                  - InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
                  -
                  - InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls -
                  -
                  - InternetExplorer/TrustedSitesZoneJavaPermissions -
                  -
                  - InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames -
                  -
                  - -### Kerberos policies - -
                  -
                  - Kerberos/AllowForestSearchOrder -
                  -
                  - Kerberos/KerberosClientSupportsClaimsCompoundArmor -
                  -
                  - Kerberos/RequireKerberosArmoring -
                  -
                  - Kerberos/RequireStrictKDCValidation -
                  -
                  - Kerberos/SetMaximumContextTokenSize -
                  -
                  - -### KioskBrowser policies - -
                  -
                  - KioskBrowser/BlockedUrlExceptions -
                  -
                  - KioskBrowser/BlockedUrls -
                  -
                  - KioskBrowser/DefaultURL -
                  -
                  - KioskBrowser/EnableEndSessionButton -
                  -
                  - KioskBrowser/EnableHomeButton -
                  -
                  - KioskBrowser/EnableNavigationButtons -
                  -
                  - KioskBrowser/RestartOnIdleTime -
                  -
                  - -### LanmanWorkstation policies - -
                  -
                  - LanmanWorkstation/EnableInsecureGuestLogons -
                  -
                  - -### Licensing policies - -
                  -
                  - Licensing/AllowWindowsEntitlementReactivation -
                  -
                  - Licensing/DisallowKMSClientOnlineAVSValidation -
                  -
                  - -### LocalPoliciesSecurityOptions policies - -
                  -
                  - LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts -
                  -
                  - LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus -
                  -
                  - LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus -
                  -
                  - LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly -
                  -
                  - LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount -
                  -
                  - LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount -
                  -
                  - LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon -
                  -
                  - LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia -
                  -
                  - LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters -
                  -
                  - LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly -
                  -
                  - LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways -
                  -
                  - LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible -
                  -
                  - LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges -
                  -
                  - LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked -
                  -
                  - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn -
                  -
                  - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn -
                  -
                  - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL -
                  -
                  - LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit -
                  -
                  - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn -
                  -
                  - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn -
                  -
                  - LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior -
                  -
                  - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees -
                  -
                  - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers -
                  -
                  - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways -
                  -
                  - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees -
                  -
                  - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts -
                  -
                  - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares -
                  -
                  - LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers -
                  -
                  - LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares -
                  -
                  - LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM -
                  -
                  - LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests -
                  -
                  - LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange -
                  -
                  - LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel -
                  -
                  - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers -
                  -
                  - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication -
                  -
                  - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic -
                  -
                  - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic -
                  -
                  - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers -
                  -
                  - LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon -
                  -
                  - LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn -
                  -
                  - LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile -
                  -
                  - LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode -
                  -
                  - LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations -
                  -
                  - -### Location policies - -
                  -
                  - Location/EnableLocation -
                  -
                  - -### LockDown policies - -
                  -
                  - LockDown/AllowEdgeSwipe -
                  -
                  - -### Maps policies - -
                  -
                  - Maps/AllowOfflineMapsDownloadOverMeteredConnection -
                  -
                  - Maps/EnableOfflineMapsAutoUpdate -
                  -
                  - -### Messaging policies - -
                  -
                  - Messaging/AllowMMS -
                  -
                  - Messaging/AllowMessageSync -
                  -
                  - Messaging/AllowRCS -
                  -
                  - -### MSSecurityGuide policies - -
                  -
                  - MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon -
                  -
                  - MSSecurityGuide/ConfigureSMBV1ClientDriver -
                  -
                  - MSSecurityGuide/ConfigureSMBV1Server -
                  -
                  - MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection -
                  -
                  - MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications -
                  -
                  - MSSecurityGuide/WDigestAuthentication -
                  -
                  - -### MSSLegacy policies - -
                  -
                  - MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes -
                  -
                  - MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers -
                  -
                  - MSSLegacy/IPSourceRoutingProtectionLevel -
                  -
                  - MSSLegacy/IPv6SourceRoutingProtectionLevel -
                  -
                  - -### NetworkIsolation policies - -
                  -
                  - NetworkIsolation/EnterpriseCloudResources -
                  -
                  - NetworkIsolation/EnterpriseIPRange -
                  -
                  - NetworkIsolation/EnterpriseIPRangesAreAuthoritative -
                  -
                  - NetworkIsolation/EnterpriseInternalProxyServers -
                  -
                  - NetworkIsolation/EnterpriseNetworkDomainNames -
                  -
                  - NetworkIsolation/EnterpriseProxyServers -
                  -
                  - NetworkIsolation/EnterpriseProxyServersAreAuthoritative -
                  -
                  - NetworkIsolation/NeutralResources -
                  -
                  - -### Notifications policies - -
                  -
                  - Notifications/DisallowCloudNotification -
                  -
                  - Notifications/DisallowNotificationMirroring -
                  -
                  - Notifications/DisallowTileNotification -
                  -
                  - -### Power policies - -
                  -
                  - Power/AllowStandbyStatesWhenSleepingOnBattery -
                  -
                  - Power/AllowStandbyWhenSleepingPluggedIn -
                  -
                  - Power/DisplayOffTimeoutOnBattery -
                  -
                  - Power/DisplayOffTimeoutPluggedIn -
                  -
                  - Power/HibernateTimeoutOnBattery -
                  -
                  - Power/HibernateTimeoutPluggedIn -
                  -
                  - Power/RequirePasswordWhenComputerWakesOnBattery -
                  -
                  - Power/RequirePasswordWhenComputerWakesPluggedIn -
                  -
                  - Power/StandbyTimeoutOnBattery -
                  -
                  - Power/StandbyTimeoutPluggedIn -
                  -
                  - -### Printers policies - -
                  -
                  - Printers/PointAndPrintRestrictions -
                  -
                  - Printers/PointAndPrintRestrictions_User -
                  -
                  - Printers/PublishPrinters -
                  -
                  - -### Privacy policies - -
                  -
                  - Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts -
                  -
                  - Privacy/AllowInputPersonalization -
                  -
                  - Privacy/DisableAdvertisingId -
                  -
                  - Privacy/EnableActivityFeed -
                  -
                  - Privacy/LetAppsAccessAccountInfo -
                  -
                  - Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessCalendar -
                  -
                  - Privacy/LetAppsAccessCalendar_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessCalendar_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessCallHistory -
                  -
                  - Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessCamera -
                  -
                  - Privacy/LetAppsAccessCamera_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessCamera_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessCamera_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessContacts -
                  -
                  - Privacy/LetAppsAccessContacts_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessContacts_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessContacts_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessEmail -
                  -
                  - Privacy/LetAppsAccessEmail_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessEmail_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessEmail_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessLocation -
                  -
                  - Privacy/LetAppsAccessLocation_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessLocation_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessLocation_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessMessaging -
                  -
                  - Privacy/LetAppsAccessMessaging_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessMessaging_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessMicrophone -
                  -
                  - Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessMotion -
                  -
                  - Privacy/LetAppsAccessMotion_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessMotion_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessMotion_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessNotifications -
                  -
                  - Privacy/LetAppsAccessNotifications_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessNotifications_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessPhone -
                  -
                  - Privacy/LetAppsAccessPhone_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessPhone_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessPhone_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessRadios -
                  -
                  - Privacy/LetAppsAccessRadios_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessRadios_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessRadios_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessTasks -
                  -
                  - Privacy/LetAppsAccessTasks_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessTasks_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsAccessTrustedDevices -
                  -
                  - Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsGetDiagnosticInfo -
                  -
                  - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsRunInBackground -
                  -
                  - Privacy/LetAppsRunInBackground_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsRunInBackground_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps -
                  -
                  - Privacy/LetAppsSyncWithDevices -
                  -
                  - Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps -
                  -
                  - Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps -
                  -
                  - Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps -
                  -
                  - Privacy/PublishUserActivities -
                  -
                  - -### RemoteAssistance policies - -
                  -
                  - RemoteAssistance/CustomizeWarningMessages -
                  -
                  - RemoteAssistance/SessionLogging -
                  -
                  - RemoteAssistance/SolicitedRemoteAssistance -
                  -
                  - RemoteAssistance/UnsolicitedRemoteAssistance -
                  -
                  - -### RemoteDesktopServices policies - -
                  -
                  - RemoteDesktopServices/AllowUsersToConnectRemotely -
                  -
                  - RemoteDesktopServices/ClientConnectionEncryptionLevel -
                  -
                  - RemoteDesktopServices/DoNotAllowDriveRedirection -
                  -
                  - RemoteDesktopServices/DoNotAllowPasswordSaving -
                  -
                  - RemoteDesktopServices/PromptForPasswordUponConnection -
                  -
                  - RemoteDesktopServices/RequireSecureRPCCommunication -
                  -
                  - -### RemoteManagement policies - -
                  -
                  - RemoteManagement/AllowBasicAuthentication_Client -
                  -
                  - RemoteManagement/AllowBasicAuthentication_Service -
                  -
                  - RemoteManagement/AllowCredSSPAuthenticationClient -
                  -
                  - RemoteManagement/AllowCredSSPAuthenticationService -
                  -
                  - RemoteManagement/AllowRemoteServerManagement -
                  -
                  - RemoteManagement/AllowUnencryptedTraffic_Client -
                  -
                  - RemoteManagement/AllowUnencryptedTraffic_Service -
                  -
                  - RemoteManagement/DisallowDigestAuthentication -
                  -
                  - RemoteManagement/DisallowNegotiateAuthenticationClient -
                  -
                  - RemoteManagement/DisallowNegotiateAuthenticationService -
                  -
                  - RemoteManagement/DisallowStoringOfRunAsCredentials -
                  -
                  - RemoteManagement/SpecifyChannelBindingTokenHardeningLevel -
                  -
                  - RemoteManagement/TrustedHosts -
                  -
                  - RemoteManagement/TurnOnCompatibilityHTTPListener -
                  -
                  - RemoteManagement/TurnOnCompatibilityHTTPSListener -
                  -
                  - -### RemoteProcedureCall policies - -
                  -
                  - RemoteProcedureCall/RPCEndpointMapperClientAuthentication -
                  -
                  - RemoteProcedureCall/RestrictUnauthenticatedRPCClients -
                  -
                  - -### RemoteShell policies - -
                  -
                  - RemoteShell/AllowRemoteShellAccess -
                  -
                  - RemoteShell/MaxConcurrentUsers -
                  -
                  - RemoteShell/SpecifyIdleTimeout -
                  -
                  - RemoteShell/SpecifyMaxMemory -
                  -
                  - RemoteShell/SpecifyMaxProcesses -
                  -
                  - RemoteShell/SpecifyMaxRemoteShells -
                  -
                  - RemoteShell/SpecifyShellTimeout -
                  -
                  - -### RestrictedGroups policies - -
                  -
                  - RestrictedGroups/ConfigureGroupMembership -
                  -
                  - -### Search policies - -
                  -
                  - Search/AllowCloudSearch -
                  -
                  - Search/AllowCortanaInAAD -
                  -
                  - Search/AllowIndexingEncryptedStoresOrItems -
                  -
                  - Search/AllowSearchToUseLocation -
                  -
                  - Search/AllowStoringImagesFromVisionSearch -
                  -
                  - Search/AllowUsingDiacritics -
                  -
                  - Search/AllowWindowsIndexer -
                  -
                  - Search/AlwaysUseAutoLangDetection -
                  -
                  - Search/DisableBackoff -
                  -
                  - Search/DisableRemovableDriveIndexing -
                  -
                  - Search/DoNotUseWebResults -
                  -
                  - Search/PreventIndexingLowDiskSpaceMB -
                  -
                  - Search/PreventRemoteQueries -
                  -
                  - Search/SafeSearchPermissions -
                  -
                  - -### Security policies - -
                  -
                  - Security/AllowAddProvisioningPackage -
                  -
                  - Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices -
                  -
                  - Security/AllowManualRootCertificateInstallation -
                  -
                  - Security/AllowRemoveProvisioningPackage -
                  -
                  - Security/AntiTheftMode -
                  -
                  - Security/ClearTPMIfNotReady -
                  -
                  - Security/ConfigureWindowsPasswords -
                  -
                  - Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices -
                  -
                  - Security/RequireDeviceEncryption -
                  -
                  - Security/RequireProvisioningPackageSignature -
                  -
                  - Security/RequireRetrieveHealthCertificateOnBoot -
                  -
                  - -### Settings policies - -
                  -
                  - Settings/AllowAutoPlay -
                  -
                  - Settings/AllowDataSense -
                  -
                  - Settings/AllowDateTime -
                  -
                  - Settings/AllowEditDeviceName -
                  -
                  - Settings/AllowLanguage -
                  -
                  - Settings/AllowOnlineTips -
                  -
                  - Settings/AllowPowerSleep -
                  -
                  - Settings/AllowRegion -
                  -
                  - Settings/AllowSignInOptions -
                  -
                  - Settings/AllowVPN -
                  -
                  - Settings/AllowWorkplace -
                  -
                  - Settings/AllowYourAccount -
                  -
                  - Settings/ConfigureTaskbarCalendar -
                  -
                  - Settings/PageVisibilityList -
                  -
                  - -### SmartScreen policies - -
                  -
                  - SmartScreen/EnableAppInstallControl -
                  -
                  - SmartScreen/EnableSmartScreenInShell -
                  -
                  - SmartScreen/PreventOverrideForFilesInShell -
                  -
                  - -### Speech policies - -
                  -
                  - Speech/AllowSpeechModelUpdate -
                  -
                  - -### Start policies - -
                  -
                  - Start/AllowPinnedFolderDocuments -
                  -
                  - Start/AllowPinnedFolderDownloads -
                  -
                  - Start/AllowPinnedFolderFileExplorer -
                  -
                  - Start/AllowPinnedFolderHomeGroup -
                  -
                  - Start/AllowPinnedFolderMusic -
                  -
                  - Start/AllowPinnedFolderNetwork -
                  -
                  - Start/AllowPinnedFolderPersonalFolder -
                  -
                  - Start/AllowPinnedFolderPictures -
                  -
                  - Start/AllowPinnedFolderSettings -
                  -
                  - Start/AllowPinnedFolderVideos -
                  -
                  - Start/ForceStartSize -
                  -
                  - Start/HideAppList -
                  -
                  - Start/HideChangeAccountSettings -
                  -
                  - Start/HideFrequentlyUsedApps -
                  -
                  - Start/HideHibernate -
                  -
                  - Start/HideLock -
                  -
                  - Start/HidePeopleBar -
                  -
                  - Start/HidePowerButton -
                  -
                  - Start/HideRecentJumplists -
                  -
                  - Start/HideRecentlyAddedApps -
                  -
                  - Start/HideRestart -
                  -
                  - Start/HideShutDown -
                  -
                  - Start/HideSignOut -
                  -
                  - Start/HideSleep -
                  -
                  - Start/HideSwitchAccount -
                  -
                  - Start/HideUserTile -
                  -
                  - Start/ImportEdgeAssets -
                  -
                  - Start/NoPinningToTaskbar -
                  -
                  - Start/StartLayout -
                  -
                  - -### Storage policies - -
                  -
                  - Storage/AllowDiskHealthModelUpdates -
                  -
                  - Storage/EnhancedStorageDevices -
                  -
                  - -### System policies - -
                  -
                  - System/AllowBuildPreview -
                  -
                  - System/AllowEmbeddedMode -
                  -
                  - System/AllowExperimentation -
                  -
                  - System/AllowFontProviders -
                  -
                  - System/AllowLocation -
                  -
                  - System/AllowStorageCard -
                  -
                  - System/AllowTelemetry -
                  -
                  - System/AllowUserToResetPhone -
                  -
                  - System/BootStartDriverInitialization -
                  -
                  - System/DisableEnterpriseAuthProxy -
                  -
                  - System/DisableOneDriveFileSync -
                  -
                  - System/DisableSystemRestore -
                  -
                  - System/FeedbackHubAlwaysSaveDiagnosticsLocally -
                  -
                  - System/LimitEnhancedDiagnosticDataWindowsAnalytics -
                  -
                  - System/TelemetryProxy -
                  -
                  - -### SystemServices policies - -
                  -
                  - SystemServices/ConfigureHomeGroupListenerServiceStartupMode -
                  -
                  - SystemServices/ConfigureHomeGroupProviderServiceStartupMode -
                  -
                  - SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode -
                  -
                  - SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode -
                  -
                  - SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode -
                  -
                  - SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode -
                  -
                  - -### TaskScheduler policies - -
                  -
                  - TaskScheduler/EnableXboxGameSaveTask -
                  -
                  - -### TextInput policies - -
                  -
                  - TextInput/AllowHardwareKeyboardTextSuggestions -
                  -
                  - TextInput/AllowIMELogging -
                  -
                  - TextInput/AllowIMENetworkAccess -
                  -
                  - TextInput/AllowInputPanel -
                  -
                  - TextInput/AllowJapaneseIMESurrogatePairCharacters -
                  -
                  - TextInput/AllowJapaneseIVSCharacters -
                  -
                  - TextInput/AllowJapaneseNonPublishingStandardGlyph -
                  -
                  - TextInput/AllowJapaneseUserDictionary -
                  -
                  - TextInput/AllowKeyboardTextSuggestions -
                  -
                  - TextInput/AllowKoreanExtendedHanja -
                  -
                  - TextInput/AllowLanguageFeaturesUninstall -
                  -
                  - TextInput/AllowLinguisticDataCollection -
                  -
                  - TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode -
                  -
                  - TextInput/ExcludeJapaneseIMEExceptJIS0208 -
                  -
                  - TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC -
                  -
                  - TextInput/ExcludeJapaneseIMEExceptShiftJIS -
                  -
                  - TextInput/ForceTouchKeyboardDockedState -
                  -
                  - TextInput/TouchKeyboardDictationButtonAvailability -
                  -
                  - TextInput/TouchKeyboardEmojiButtonAvailability -
                  -
                  - TextInput/TouchKeyboardFullModeAvailability -
                  -
                  - TextInput/TouchKeyboardHandwritingModeAvailability -
                  -
                  - TextInput/TouchKeyboardNarrowModeAvailability -
                  -
                  - TextInput/TouchKeyboardSplitModeAvailability -
                  -
                  - TextInput/TouchKeyboardWideModeAvailability -
                  -
                  - -### TimeLanguageSettings policies - -
                  -
                  - TimeLanguageSettings/AllowSet24HourClock -
                  -
                  - -### Update policies - -
                  -
                  - Update/ActiveHoursEnd -
                  -
                  - Update/ActiveHoursMaxRange -
                  -
                  - Update/ActiveHoursStart -
                  -
                  - Update/AllowAutoUpdate -
                  -
                  - Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork -
                  -
                  - Update/AllowMUUpdateService -
                  -
                  - Update/AllowNonMicrosoftSignedUpdate -
                  -
                  - Update/AllowUpdateService -
                  -
                  - Update/AutoRestartDeadlinePeriodInDays -
                  -
                  - Update/AutoRestartNotificationSchedule -
                  -
                  - Update/AutoRestartRequiredNotificationDismissal -
                  -
                  - Update/BranchReadinessLevel -
                  -
                  - Update/ConfigureFeatureUpdateUninstallPeriod -
                  -
                  - Update/DeferFeatureUpdatesPeriodInDays -
                  -
                  - Update/DeferQualityUpdatesPeriodInDays -
                  -
                  - Update/DeferUpdatePeriod -
                  -
                  - Update/DeferUpgradePeriod -
                  -
                  - Update/DetectionFrequency -
                  -
                  - Update/DisableDualScan -
                  -
                  - Update/EngagedRestartDeadline -
                  -
                  - Update/EngagedRestartSnoozeSchedule -
                  -
                  - Update/EngagedRestartTransitionSchedule -
                  -
                  - Update/ExcludeWUDriversInQualityUpdate -
                  -
                  - Update/FillEmptyContentUrls -
                  -
                  - Update/IgnoreMOAppDownloadLimit -
                  -
                  - Update/IgnoreMOUpdateDownloadLimit -
                  -
                  - Update/ManagePreviewBuilds -
                  -
                  - Update/PauseDeferrals -
                  -
                  - Update/PauseFeatureUpdates -
                  -
                  - Update/PauseFeatureUpdatesStartTime -
                  -
                  - Update/PauseQualityUpdates -
                  -
                  - Update/PauseQualityUpdatesStartTime -
                  -
                  - Update/PhoneUpdateRestrictions -
                  -
                  - Update/RequireDeferUpgrade -
                  -
                  - Update/RequireUpdateApproval -
                  -
                  - Update/ScheduleImminentRestartWarning -
                  -
                  - Update/ScheduleRestartWarning -
                  -
                  - Update/ScheduledInstallDay -
                  -
                  - Update/ScheduledInstallEveryWeek -
                  -
                  - Update/ScheduledInstallFirstWeek -
                  -
                  - Update/ScheduledInstallFourthWeek -
                  -
                  - Update/ScheduledInstallSecondWeek -
                  -
                  - Update/ScheduledInstallThirdWeek -
                  -
                  - Update/ScheduledInstallTime -
                  -
                  - Update/SetAutoRestartNotificationDisable -
                  -
                  - Update/SetEDURestart -
                  -
                  - Update/UpdateServiceUrl -
                  -
                  - Update/UpdateServiceUrlAlternate -
                  -
                  - -### UserRights policies - -
                  -
                  - UserRights/AccessCredentialManagerAsTrustedCaller -
                  -
                  - UserRights/AccessFromNetwork -
                  -
                  - UserRights/ActAsPartOfTheOperatingSystem -
                  -
                  - UserRights/AllowLocalLogOn -
                  -
                  - UserRights/BackupFilesAndDirectories -
                  -
                  - UserRights/ChangeSystemTime -
                  -
                  - UserRights/CreateGlobalObjects -
                  -
                  - UserRights/CreatePageFile -
                  -
                  - UserRights/CreatePermanentSharedObjects -
                  -
                  - UserRights/CreateSymbolicLinks -
                  -
                  - UserRights/CreateToken -
                  -
                  - UserRights/DebugPrograms -
                  -
                  - UserRights/DenyAccessFromNetwork -
                  -
                  - UserRights/DenyLocalLogOn -
                  -
                  - UserRights/DenyRemoteDesktopServicesLogOn -
                  -
                  - UserRights/EnableDelegation -
                  -
                  - UserRights/GenerateSecurityAudits -
                  -
                  - UserRights/ImpersonateClient -
                  -
                  - UserRights/IncreaseSchedulingPriority -
                  -
                  - UserRights/LoadUnloadDeviceDrivers -
                  -
                  - UserRights/LockMemory -
                  -
                  - UserRights/ManageAuditingAndSecurityLog -
                  -
                  - UserRights/ManageVolume -
                  -
                  - UserRights/ModifyFirmwareEnvironment -
                  -
                  - UserRights/ModifyObjectLabel -
                  -
                  - UserRights/ProfileSingleProcess -
                  -
                  - UserRights/RemoteShutdown -
                  -
                  - UserRights/RestoreFilesAndDirectories -
                  -
                  - UserRights/TakeOwnership -
                  -
                  - -### Wifi policies - -
                  -
                  - WiFi/AllowWiFiHotSpotReporting -
                  -
                  - Wifi/AllowAutoConnectToWiFiSenseHotspots -
                  -
                  - Wifi/AllowInternetSharing -
                  -
                  - Wifi/AllowManualWiFiConfiguration -
                  -
                  - Wifi/AllowWiFi -
                  -
                  - Wifi/AllowWiFiDirect -
                  -
                  - Wifi/WLANScanMode -
                  -
                  - -### WindowsConnectionManager policies - -
                  -
                  - WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork -
                  -
                  - -### WindowsDefenderSecurityCenter policies - -
                  -
                  - WindowsDefenderSecurityCenter/CompanyName -
                  -
                  - WindowsDefenderSecurityCenter/DisableAccountProtectionUI -
                  -
                  - WindowsDefenderSecurityCenter/DisableAppBrowserUI -
                  -
                  - WindowsDefenderSecurityCenter/DisableDeviceSecurityUI -
                  -
                  - WindowsDefenderSecurityCenter/DisableEnhancedNotifications -
                  -
                  - WindowsDefenderSecurityCenter/DisableFamilyUI -
                  -
                  - WindowsDefenderSecurityCenter/DisableHealthUI -
                  -
                  - WindowsDefenderSecurityCenter/DisableNetworkUI -
                  -
                  - WindowsDefenderSecurityCenter/DisableNotifications -
                  -
                  - WindowsDefenderSecurityCenter/DisableVirusUI -
                  -
                  - WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride -
                  -
                  - WindowsDefenderSecurityCenter/Email -
                  -
                  - WindowsDefenderSecurityCenter/EnableCustomizedToasts -
                  -
                  - WindowsDefenderSecurityCenter/EnableInAppCustomization -
                  -
                  - WindowsDefenderSecurityCenter/HideRansomwareDataRecovery -
                  -
                  - WindowsDefenderSecurityCenter/HideSecureBoot -
                  -
                  - WindowsDefenderSecurityCenter/HideTPMTroubleshooting -
                  -
                  - WindowsDefenderSecurityCenter/Phone -
                  -
                  - WindowsDefenderSecurityCenter/URL -
                  -
                  - -### WindowsInkWorkspace policies - -
                  -
                  - WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace -
                  -
                  - WindowsInkWorkspace/AllowWindowsInkWorkspace -
                  -
                  - -### WindowsLogon policies - -
                  -
                  - WindowsLogon/DisableLockScreenAppNotifications -
                  -
                  - WindowsLogon/DontDisplayNetworkSelectionUI -
                  -
                  - WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers -
                  -
                  - WindowsLogon/HideFastUserSwitching -
                  -
                  - WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart -
                  -
                  - -### WindowsPowerShell policies - -
                  -
                  - WindowsPowerShell/TurnOnPowerShellScriptBlockLogging -
                  -
                  - -### WirelessDisplay policies - -
                  -
                  - WirelessDisplay/AllowMdnsAdvertisement -
                  -
                  - WirelessDisplay/AllowMdnsDiscovery -
                  -
                  - WirelessDisplay/AllowProjectionFromPC -
                  -
                  - WirelessDisplay/AllowProjectionFromPCOverInfrastructure -
                  -
                  - WirelessDisplay/AllowProjectionToPC -
                  -
                  - WirelessDisplay/AllowProjectionToPCOverInfrastructure -
                  -
                  - WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver -
                  -
                  - WirelessDisplay/RequirePinForPairing -
                  -
                  - - -## ADMX-backed policies - -- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) -- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) -- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) -- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) -- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) -- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) -- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) -- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) -- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) -- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) -- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) -- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) -- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) -- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) -- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) -- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) -- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) -- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) -- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) -- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) -- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) -- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) -- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) -- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) -- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) -- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) -- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) -- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) -- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) -- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) -- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) -- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) -- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) -- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) -- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) -- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) -- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) -- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) -- [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g) -- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) -- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) -- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) -- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) -- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) -- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) -- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) -- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) -- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) -- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) -- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) -- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) -- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) -- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) -- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) -- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) -- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) -- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) -- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) -- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) -- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) -- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) -- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) -- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) -- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) -- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) -- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) -- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) -- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) -- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) -- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) -- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) -- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) -- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) -- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) -- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) -- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) -- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) -- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) -- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) -- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) -- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) -- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) -- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) -- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) -- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) -- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) -- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) -- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) -- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) -- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) -- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) -- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) -- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) -- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) -- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) -- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) -- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) -- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) -- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) -- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) -- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) -- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) -- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) -- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) -- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) -- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) -- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) -- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) -- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) -- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) -- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) -- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) -- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) -- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) -- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) -- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) -- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) -- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) -- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) -- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) -- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) -- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) -- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) -- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) -- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) -- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) -- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) -- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) -- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) -- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) -- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) -- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) -- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) -- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) -- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) -- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) -- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) -- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) -- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) -- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) -- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) -- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) -- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) -- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) -- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) -- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) -- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) -- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) -- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) -- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) -- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) -- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) -- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) -- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) -- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) -- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) -- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) -- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) -- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) -- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) -- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) -- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) -- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) -- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) -- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) -- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) -- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) -- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) -- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) -- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) -- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) -- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) -- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) -- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) -- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) -- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) -- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) -- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) -- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) -- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) -- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) -- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) -- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) -- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) -- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) -- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) -- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) -- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) -- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) -- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) -- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) -- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) -- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) -- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) -- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) -- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) -- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) -- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) -- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) -- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) -- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) -- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) -- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) -- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) -- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) -- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) -- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) -- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) -- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) -- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) -- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) -- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) -- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) -- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) -- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) -- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) -- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) -- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) -- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) -- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) -- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) -- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) -- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) -- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) -- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) -- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) -- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) -- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) -- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) -- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) -- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) -- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) -- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) -- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) -- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) -- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) -- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) -- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) -- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) -- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) - - -## Policies supported by GP - -- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock) -- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) -- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) -- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) -- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) -- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) -- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) -- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) -- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) -- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) -- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) -- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) -- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) -- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) -- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) -- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) -- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) -- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) -- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) -- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) -- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) -- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) -- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) -- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) -- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) -- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) -- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) -- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) -- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) -- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) -- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) -- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration) -- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers) -- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr) -- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata) -- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps) -- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall) -- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges) -- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly) -- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume) -- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume) -- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) -- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) -- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) -- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice) -- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) -- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) -- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) -- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown) -- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions) -- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash) -- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun) -- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate) -- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization) -- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen) -- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary) -- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines) -- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages) -- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry) -- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist) -- [Browser/HomePages](./policy-csp-browser.md#browser-homepages) -- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites) -- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge) -- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage) -- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/PreventTabPreloading](./policy-csp-browser.md#browser-preventtabpreloading) -- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc) -- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites) -- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer) -- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine) -- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer) -- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge) -- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks) -- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera) -- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata) -- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps) -- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps) -- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps) -- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming) -- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking) -- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests) -- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) -- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) -- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) -- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) -- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) -- [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g) -- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) -- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection) -- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles) -- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess) -- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions) -- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules) -- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor) -- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel) -- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout) -- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications) -- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders) -- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware) -- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess) -- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection) -- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions) -- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths) -- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses) -- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection) -- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday) -- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime) -- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) -- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) -- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) -- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) -- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) -- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) -- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) -- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) -- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) -- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) -- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps) -- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi) -- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps) -- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps) -- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps) -- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters) -- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) -- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) -- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) -- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) -- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) -- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) -- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) -- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) -- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana) -- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice) -- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata) -- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight) -- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures) -- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight) -- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter) -- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings) -- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience) -- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) -- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) -- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) -- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) -- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) -- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) -- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) -- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) -- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) -- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) -- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) -- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) -- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) -- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) -- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) -- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) -- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) -- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) -- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) -- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) -- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) -- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) -- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) -- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) -- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) -- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) -- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) -- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) -- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) -- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) -- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) -- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) -- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) -- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) -- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) -- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) -- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) -- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) -- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) -- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) -- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) -- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) -- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) -- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) -- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) -- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) -- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) -- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) -- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) -- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) -- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) -- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) -- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) -- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) -- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) -- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) -- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) -- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) -- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) -- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) -- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) -- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) -- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) -- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) -- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) -- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) -- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) -- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) -- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) -- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) -- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) -- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) -- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) -- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) -- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) -- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) -- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) -- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) -- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) -- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) -- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) -- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) -- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) -- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) -- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) -- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) -- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) -- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) -- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) -- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) -- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) -- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) -- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) -- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) -- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) -- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) -- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) -- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) -- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) -- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) -- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) -- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) -- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) -- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) -- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) -- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) -- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) -- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) -- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) -- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) -- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) -- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) -- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) -- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) -- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) -- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) -- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) -- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) -- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) -- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) -- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) -- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) -- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) -- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) -- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) -- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) -- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) -- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) -- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) -- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) -- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) -- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) -- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) -- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) -- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) -- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) -- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) -- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) -- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) -- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) -- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) -- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) -- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) -- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) -- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) -- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) -- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) -- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) -- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) -- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) -- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) -- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) -- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) -- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) -- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) -- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) -- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) -- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) -- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) -- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) -- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) -- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) -- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) -- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) -- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) -- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) -- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) -- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) -- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons) -- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation) -- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation) -- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts) -- [LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus) -- [LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus) -- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly) -- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount) -- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount) -- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon) -- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) -- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) -- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible) -- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) -- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon) -- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon) -- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways) -- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees) -- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts) -- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares) -- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares) -- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam) -- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests) -- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange) -- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel) -- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic) -- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers) -- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) -- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile) -- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators) -- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) -- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated) -- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations) -- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode) -- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation) -- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode) -- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations) -- [Location/EnableLocation](./policy-csp-location.md#location-enablelocation) -- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe) -- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) -- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) -- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) -- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) -- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) -- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) -- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) -- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) -- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) -- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate) -- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync) -- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources) -- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange) -- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative) -- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers) -- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers) -- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative) -- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources) -- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification) -- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring) -- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification) -- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) -- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) -- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) -- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) -- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) -- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) -- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) -- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) -- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid) -- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed) -- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo) -- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) -- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) -- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) -- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar) -- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps) -- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps) -- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps) -- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory) -- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps) -- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps) -- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps) -- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera) -- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) -- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) -- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) -- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts) -- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps) -- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps) -- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps) -- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail) -- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps) -- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps) -- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps) -- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation) -- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps) -- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps) -- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps) -- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging) -- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps) -- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps) -- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps) -- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone) -- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) -- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) -- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) -- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion) -- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps) -- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps) -- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps) -- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications) -- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps) -- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps) -- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps) -- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone) -- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps) -- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps) -- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps) -- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios) -- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps) -- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps) -- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps) -- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks) -- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps) -- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps) -- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps) -- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices) -- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps) -- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps) -- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps) -- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices) -- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps) -- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps) -- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps) -- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities) -- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) -- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) -- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) -- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) -- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) -- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) -- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) -- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) -- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) -- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) -- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) -- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) -- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) -- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) -- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) -- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) -- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) -- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) -- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) -- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) -- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) -- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) -- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) -- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) -- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) -- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) -- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) -- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) -- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) -- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) -- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) -- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) -- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) -- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) -- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch) -- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad) -- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems) -- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation) -- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics) -- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection) -- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff) -- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing) -- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults) -- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) -- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) -- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) -- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) -- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) -- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) -- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol) -- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell) -- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell) -- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate) -- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar) -- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps) -- [Start/StartLayout](./policy-csp-start.md#start-startlayout) -- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) -- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) -- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) -- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) -- [System/AllowLocation](./policy-csp-system.md#system-allowlocation) -- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) -- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) -- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) -- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) -- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) -- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics) -- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy) -- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode) -- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode) -- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode) -- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode) -- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode) -- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode) -- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) -- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection) -- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) -- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) -- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) -- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate) -- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork) -- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice) -- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice) -- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays) -- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) -- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) -- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays) -- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod) -- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod) -- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency) -- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan) -- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline) -- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule) -- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule) -- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate) -- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls) -- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds) -- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals) -- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates) -- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime) -- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates) -- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime) -- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade) -- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning) -- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek) -- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek) -- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek) -- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek) -- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek) -- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime) -- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable) -- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart) -- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate) -- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller) -- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork) -- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem) -- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon) -- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories) -- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime) -- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects) -- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile) -- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects) -- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks) -- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken) -- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms) -- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork) -- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon) -- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon) -- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation) -- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits) -- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient) -- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority) -- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers) -- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory) -- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog) -- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume) -- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment) -- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel) -- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess) -- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown) -- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories) -- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership) -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing) -- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname) -- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui) -- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui) -- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui) -- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications) -- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui) -- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui) -- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui) -- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications) -- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui) -- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride) -- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email) -- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts) -- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization) -- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery) -- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot) -- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting) -- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone) -- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) -- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) -- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) -- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) -- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) -- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) -- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) -- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) -- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) -- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) -- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) - - -## Policies supported by Windows Holographic for Business - -- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [Experience/AllowCortana](#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) -- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Settings/AllowDateTime](#settings-allowdatetime) -- [Settings/AllowVPN](#settings-allowvpn) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Policies that can be set using Exchange Active Sync (EAS) - -- [Browser/AllowBrowser](#browser-allowbrowser) -- [Camera/AllowCamera](#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) -- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) -- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](#wifi-allowwifi) - - -## Examples - -Set the minimum password length to 4 characters. - -``` syntax - - - - $CmdID$ - - - ./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength - - - int - - 4 - - - - - -``` - -Do not allow NFC. - -``` syntax - - - - $CmdID$ - - - ./Vendor/MSFT/Policy/Config/Connectivity/AllowNFC - - - int - - 0 - - - - - -``` - -## Related topics - +--- +title: Policy CSP +description: Policy CSP +ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/08/2018 +--- + +# Policy CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. + +The Policy configuration service provider has the following sub-categories: + +- Policy/Config/*AreaName* – Handles the policy configuration request from the server. +- Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device. + + + +> [!Important] +> Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user. +> +> The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths: +> +> User scope: +> - **./User/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. +> - **./User/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. +> +> Device scope: +> - **./Device/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. +> - **./Device/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. +> +> For device wide configuration the **_Device/_** portion may be omitted from the path, deeming the following paths respectively equivalent: +> +> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. +> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. + +The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. + +![policy csp diagram](images/provisioning-csp-policy.png) + + +**./Vendor/MSFT/Policy** +

                  The root node for the Policy configuration service provider. + +

                  Supported operation is Get. + +**Policy/Config** +

                  Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. + +

                  Supported operation is Get. + +**Policy/Config/****_AreaName_** +

                  The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. + +

                  Supported operations are Add, Get, and Delete. + +**Policy/Config/****_AreaName/PolicyName_** +

                  Specifies the name/value pair used in the policy. + +

                  The following list shows some tips to help you when configuring policies: + +- Separate substring values by the Unicode &\#xF000; in the XML file. + +> [!NOTE] +> A query from a different caller could provide a different value as each caller could have different values for a named policy. + +- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. +- Supported operations are Add, Get, Delete, and Replace. +- Value type is string. + +**Policy/Result** +

                  Groups the evaluated policies from all providers that can be configured. + +

                  Supported operation is Get. + +**Policy/Result/****_AreaName_** +

                  The area group that can be configured by a single technology independent of the providers. + +

                  Supported operation is Get. + +**Policy/Result/****_AreaName/PolicyName_** +

                  Specifies the name/value pair used in the policy. + +

                  Supported operation is Get. + +**Policy/ConfigOperations** +

                  Added in Windows 10, version 1703. The root node for grouping different configuration operations. + +

                  Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall** +

                  Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md). + +> [!NOTE] +> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx). + +

                  ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}`. + +

                  Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_** +

                  Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. + +

                  Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy** +

                  Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. + +

                  Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy/_UniqueID_** +

                  Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. + +

                  Supported operations are Add and Get. Does not support Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference** +

                  Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. + +

                  Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference/_UniqueID_** +

                  Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. + +

                  Supported operations are Add and Get. Does not support Delete. + +> [!Note] +> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults policies are not supported in Windows 10 S. + +## Policies + +### AboveLock policies + +

                  +
                  + AboveLock/AllowActionCenterNotifications +
                  +
                  + AboveLock/AllowCortanaAboveLock +
                  +
                  + AboveLock/AllowToasts +
                  +
                  + +### Accounts policies + +
                  +
                  + Accounts/AllowAddingNonMicrosoftAccountsManually +
                  +
                  + Accounts/AllowMicrosoftAccountConnection +
                  +
                  + Accounts/AllowMicrosoftAccountSignInAssistant +
                  +
                  + Accounts/DomainNamesForEmailSync +
                  +
                  + +### ActiveXControls policies + +
                  +
                  + ActiveXControls/ApprovedInstallationSites +
                  +
                  + +### ApplicationDefaults policies + +
                  +
                  + ApplicationDefaults/DefaultAssociationsConfiguration +
                  +
                  + ApplicationDefaults/EnableAppUriHandlers +
                  +
                  + +### ApplicationManagement policies + +
                  +
                  + ApplicationManagement/AllowAllTrustedApps +
                  +
                  + ApplicationManagement/AllowAppStoreAutoUpdate +
                  +
                  + ApplicationManagement/AllowDeveloperUnlock +
                  +
                  + ApplicationManagement/AllowGameDVR +
                  +
                  + ApplicationManagement/AllowSharedUserAppData +
                  +
                  + ApplicationManagement/AllowStore +
                  +
                  + ApplicationManagement/ApplicationRestrictions +
                  +
                  + ApplicationManagement/DisableStoreOriginatedApps +
                  +
                  + ApplicationManagement/LaunchAppAfterLogOn +
                  +
                  + ApplicationManagement/MSIAllowUserControlOverInstall +
                  +
                  + ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges +
                  +
                  + ApplicationManagement/RequirePrivateStoreOnly +
                  +
                  + ApplicationManagement/RestrictAppDataToSystemVolume +
                  +
                  + ApplicationManagement/RestrictAppToSystemVolume +
                  +
                  + ApplicationManagement/ScheduleForceRestartForUpdateFailures +
                  +
                  + +### AppRuntime policies + +
                  +
                  + AppRuntime/AllowMicrosoftAccountsToBeOptional +
                  +
                  + +### AppVirtualization policies + +
                  +
                  + AppVirtualization/AllowAppVClient +
                  +
                  + AppVirtualization/AllowDynamicVirtualization +
                  +
                  + AppVirtualization/AllowPackageCleanup +
                  +
                  + AppVirtualization/AllowPackageScripts +
                  +
                  + AppVirtualization/AllowPublishingRefreshUX +
                  +
                  + AppVirtualization/AllowReportingServer +
                  +
                  + AppVirtualization/AllowRoamingFileExclusions +
                  +
                  + AppVirtualization/AllowRoamingRegistryExclusions +
                  +
                  + AppVirtualization/AllowStreamingAutoload +
                  +
                  + AppVirtualization/ClientCoexistenceAllowMigrationmode +
                  +
                  + AppVirtualization/IntegrationAllowRootGlobal +
                  +
                  + AppVirtualization/IntegrationAllowRootUser +
                  +
                  + AppVirtualization/PublishingAllowServer1 +
                  +
                  + AppVirtualization/PublishingAllowServer2 +
                  +
                  + AppVirtualization/PublishingAllowServer3 +
                  +
                  + AppVirtualization/PublishingAllowServer4 +
                  +
                  + AppVirtualization/PublishingAllowServer5 +
                  +
                  + AppVirtualization/StreamingAllowCertificateFilterForClient_SSL +
                  +
                  + AppVirtualization/StreamingAllowHighCostLaunch +
                  +
                  + AppVirtualization/StreamingAllowLocationProvider +
                  +
                  + AppVirtualization/StreamingAllowPackageInstallationRoot +
                  +
                  + AppVirtualization/StreamingAllowPackageSourceRoot +
                  +
                  + AppVirtualization/StreamingAllowReestablishmentInterval +
                  +
                  + AppVirtualization/StreamingAllowReestablishmentRetries +
                  +
                  + AppVirtualization/StreamingSharedContentStoreMode +
                  +
                  + AppVirtualization/StreamingSupportBranchCache +
                  +
                  + AppVirtualization/StreamingVerifyCertificateRevocationList +
                  +
                  + AppVirtualization/VirtualComponentsAllowList +
                  +
                  + +### AttachmentManager policies + +
                  +
                  + AttachmentManager/DoNotPreserveZoneInformation +
                  +
                  + AttachmentManager/HideZoneInfoMechanism +
                  +
                  + AttachmentManager/NotifyAntivirusPrograms +
                  +
                  + +### Authentication policies + +
                  +
                  + Authentication/AllowAadPasswordReset +
                  +
                  + Authentication/AllowEAPCertSSO +
                  +
                  + Authentication/AllowFastReconnect +
                  +
                  + Authentication/AllowFidoDeviceSignon +
                  +
                  + Authentication/AllowSecondaryAuthenticationDevice +
                  +
                  + Authentication/EnableFastFirstSignIn +
                  +
                  + Authentication/EnableWebSignIn +
                  +
                  + Authentication/PreferredAadTenantDomainName +
                  +
                  + +### Autoplay policies + +
                  +
                  + Autoplay/DisallowAutoplayForNonVolumeDevices +
                  +
                  + Autoplay/SetDefaultAutoRunBehavior +
                  +
                  + Autoplay/TurnOffAutoPlay +
                  +
                  + +### Bitlocker policies + +
                  +
                  + Bitlocker/EncryptionMethod +
                  +
                  + +### BITS policies + +
                  +
                  + BITS/BandwidthThrottlingEndTime +
                  +
                  + BITS/BandwidthThrottlingStartTime +
                  +
                  + BITS/BandwidthThrottlingTransferRate +
                  +
                  + BITS/CostedNetworkBehaviorBackgroundPriority +
                  +
                  + BITS/CostedNetworkBehaviorForegroundPriority +
                  +
                  + BITS/JobInactivityTimeout +
                  +
                  + +### Bluetooth policies + +
                  +
                  + Bluetooth/AllowAdvertising +
                  +
                  + Bluetooth/AllowDiscoverableMode +
                  +
                  + Bluetooth/AllowPrepairing +
                  +
                  + Bluetooth/AllowPromptedProximalConnections +
                  +
                  + Bluetooth/LocalDeviceName +
                  +
                  + Bluetooth/ServicesAllowedList +
                  +
                  + +### Browser policies + +
                  +
                  + Browser/AllowAddressBarDropdown +
                  +
                  + Browser/AllowAutofill +
                  +
                  + Browser/AllowBrowser +
                  +
                  + Browser/AllowConfigurationUpdateForBooksLibrary +
                  +
                  + Browser/AllowCookies +
                  +
                  + Browser/AllowDeveloperTools +
                  +
                  + Browser/AllowDoNotTrack +
                  +
                  + Browser/AllowExtensions +
                  +
                  + Browser/AllowFlash +
                  +
                  + Browser/AllowFlashClickToRun +
                  +
                  + Browser/AllowFullScreenMode +
                  +
                  + Browser/AllowInPrivate +
                  +
                  + Browser/AllowMicrosoftCompatibilityList +
                  +
                  + Browser/AllowPasswordManager +
                  +
                  + Browser/AllowPopups +
                  +
                  + Browser/AllowPrelaunch +
                  +
                  + Browser/AllowPrinting +
                  +
                  + Browser/AllowSavingHistory +
                  +
                  + Browser/AllowSearchEngineCustomization +
                  +
                  + Browser/AllowSearchSuggestionsinAddressBar +
                  +
                  + Browser/AllowSideloadingOfExtensions +
                  +
                  + Browser/AllowSmartScreen +
                  +
                  + Browser/AllowTabPreloading +
                  +
                  + Browser/AllowWebContentOnNewTabPage +
                  +
                  + Browser/AlwaysEnableBooksLibrary +
                  +
                  + Browser/ClearBrowsingDataOnExit +
                  +
                  + Browser/ConfigureAdditionalSearchEngines +
                  +
                  + Browser/ConfigureFavoritesBar +
                  +
                  + Browser/ConfigureHomeButton +
                  +
                  + Browser/ConfigureKioskMode +
                  +
                  + Browser/ConfigureKioskResetAfterIdleTimeout +
                  +
                  + Browser/ConfigureOpenMicrosoftEdgeWith +
                  +
                  + Browser/ConfigureTelemetryForMicrosoft365Analytics +
                  +
                  + Browser/DisableLockdownOfStartPages +
                  +
                  + Browser/EnableExtendedBooksTelemetry +
                  +
                  + Browser/EnterpriseModeSiteList +
                  +
                  + Browser/EnterpriseSiteListServiceUrl +
                  +
                  + Browser/FirstRunURL +
                  +
                  + Browser/ForceEnabledExtensions +
                  +
                  + Browser/HomePages +
                  +
                  + Browser/LockdownFavorites +
                  +
                  + Browser/PreventAccessToAboutFlagsInMicrosoftEdge +
                  +
                  + Browser/PreventCertErrorOverrides +
                  +
                  + Browser/PreventFirstRunPage +
                  +
                  + Browser/PreventLiveTileDataCollection +
                  +
                  + Browser/PreventSmartScreenPromptOverride +
                  +
                  + Browser/PreventSmartScreenPromptOverrideForFiles +
                  +
                  + Browser/PreventUsingLocalHostIPAddressForWebRTC +
                  +
                  + Browser/ProvisionFavorites +
                  +
                  + Browser/SendIntranetTraffictoInternetExplorer +
                  +
                  + Browser/SetDefaultSearchEngine +
                  +
                  + Browser/SetHomeButtonURL +
                  +
                  + Browser/SetNewTabPageURL +
                  +
                  + Browser/ShowMessageWhenOpeningSitesInInternetExplorer +
                  +
                  + Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +
                  +
                  + Browser/UnlockHomeButton +
                  +
                  + Browser/UseSharedFolderForBooks +
                  +
                  + +### Camera policies + +
                  +
                  + Camera/AllowCamera +
                  +
                  + +### Cellular policies + +
                  +
                  + Cellular/LetAppsAccessCellularData +
                  +
                  + Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +
                  +
                  + Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +
                  +
                  + Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +
                  +
                  + Cellular/ShowAppCellularAccessUI +
                  +
                  + +### Connectivity policies + +
                  +
                  + Connectivity/AllowBluetooth +
                  +
                  + Connectivity/AllowCellularData +
                  +
                  + Connectivity/AllowCellularDataRoaming +
                  +
                  + Connectivity/AllowConnectedDevices +
                  +
                  + Connectivity/AllowNFC +
                  +
                  + Connectivity/AllowPhonePCLinking +
                  +
                  + Connectivity/AllowUSBConnection +
                  +
                  + Connectivity/AllowVPNOverCellular +
                  +
                  + Connectivity/AllowVPNRoamingOverCellular +
                  +
                  + Connectivity/DiablePrintingOverHTTP +
                  +
                  + Connectivity/DisableDownloadingOfPrintDriversOverHTTP +
                  +
                  + Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards +
                  +
                  + Connectivity/DisallowNetworkConnectivityActiveTests +
                  +
                  + Connectivity/HardenedUNCPaths +
                  +
                  + Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge +
                  +
                  + +### ControlPolicyConflict policies + +
                  +
                  + ControlPolicyConflict/MDMWinsOverGP +
                  +
                  + +### CredentialProviders policies + +
                  +
                  + CredentialProviders/AllowPINLogon +
                  +
                  + CredentialProviders/BlockPicturePassword +
                  +
                  + CredentialProviders/DisableAutomaticReDeploymentCredentials +
                  +
                  + +### CredentialsDelegation policies + +
                  +
                  + CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials +
                  +
                  + +### CredentialsUI policies + +
                  +
                  + CredentialsUI/DisablePasswordReveal +
                  +
                  + CredentialsUI/EnumerateAdministrators +
                  +
                  + +### Cryptography policies + +
                  +
                  + Cryptography/AllowFipsAlgorithmPolicy +
                  +
                  + Cryptography/TLSCipherSuites +
                  +
                  + +### DataProtection policies + +
                  +
                  + DataProtection/AllowDirectMemoryAccess +
                  +
                  + DataProtection/LegacySelectiveWipeID +
                  +
                  + +### DataUsage policies + +
                  +
                  + DataUsage/SetCost3G +
                  +
                  + DataUsage/SetCost4G +
                  +
                  + +### Defender policies + +
                  +
                  + Defender/AllowArchiveScanning +
                  +
                  + Defender/AllowBehaviorMonitoring +
                  +
                  + Defender/AllowCloudProtection +
                  +
                  + Defender/AllowEmailScanning +
                  +
                  + Defender/AllowFullScanOnMappedNetworkDrives +
                  +
                  + Defender/AllowFullScanRemovableDriveScanning +
                  +
                  + Defender/AllowIOAVProtection +
                  +
                  + Defender/AllowIntrusionPreventionSystem +
                  +
                  + Defender/AllowOnAccessProtection +
                  +
                  + Defender/AllowRealtimeMonitoring +
                  +
                  + Defender/AllowScanningNetworkFiles +
                  +
                  + Defender/AllowScriptScanning +
                  +
                  + Defender/AllowUserUIAccess +
                  +
                  + Defender/AttackSurfaceReductionOnlyExclusions +
                  +
                  + Defender/AttackSurfaceReductionRules +
                  +
                  + Defender/AvgCPULoadFactor +
                  +
                  + Defender/CheckForSignaturesBeforeRunningScan +
                  +
                  + Defender/CloudBlockLevel +
                  +
                  + Defender/CloudExtendedTimeout +
                  +
                  + Defender/ControlledFolderAccessAllowedApplications +
                  +
                  + Defender/ControlledFolderAccessProtectedFolders +
                  +
                  + Defender/DaysToRetainCleanedMalware +
                  +
                  + Defender/DisableCatchupFullScan +
                  +
                  + Defender/DisableCatchupQuickScan +
                  +
                  + Defender/EnableControlledFolderAccess +
                  +
                  + Defender/EnableLowCPUPriority +
                  +
                  + Defender/EnableNetworkProtection +
                  +
                  + Defender/ExcludedExtensions +
                  +
                  + Defender/ExcludedPaths +
                  +
                  + Defender/ExcludedProcesses +
                  +
                  + Defender/PUAProtection +
                  +
                  + Defender/RealTimeScanDirection +
                  +
                  + Defender/ScanParameter +
                  +
                  + Defender/ScheduleQuickScanTime +
                  +
                  + Defender/ScheduleScanDay +
                  +
                  + Defender/ScheduleScanTime +
                  +
                  + Defender/SignatureUpdateFallbackOrder +
                  +
                  + Defender/SignatureUpdateFileSharesSources +
                  +
                  + Defender/SignatureUpdateInterval +
                  +
                  + Defender/SubmitSamplesConsent +
                  +
                  + Defender/ThreatSeverityDefaultAction +
                  +
                  + +### DeliveryOptimization policies + +
                  +
                  + DeliveryOptimization/DOAbsoluteMaxCacheSize +
                  +
                  + DeliveryOptimization/DOAllowVPNPeerCaching +
                  +
                  + DeliveryOptimization/DODelayBackgroundDownloadFromHttp +
                  +
                  + DeliveryOptimization/DODelayForegroundDownloadFromHttp +
                  +
                  + DeliveryOptimization/DODownloadMode +
                  +
                  + DeliveryOptimization/DOGroupId +
                  +
                  + DeliveryOptimization/DOGroupIdSource +
                  +
                  + DeliveryOptimization/DOMaxCacheAge +
                  +
                  + DeliveryOptimization/DOMaxCacheSize +
                  +
                  + DeliveryOptimization/DOMaxDownloadBandwidth +
                  +
                  + DeliveryOptimization/DOMaxUploadBandwidth +
                  +
                  + DeliveryOptimization/DOMinBackgroundQos +
                  +
                  + DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload +
                  +
                  + DeliveryOptimization/DOMinDiskSizeAllowedToPeer +
                  +
                  + DeliveryOptimization/DOMinFileSizeToCache +
                  +
                  + DeliveryOptimization/DOMinRAMAllowedToPeer +
                  +
                  + DeliveryOptimization/DOModifyCacheDrive +
                  +
                  + DeliveryOptimization/DOMonthlyUploadDataCap +
                  +
                  + DeliveryOptimization/DOPercentageMaxBackgroundBandwidth +
                  +
                  + DeliveryOptimization/DOPercentageMaxDownloadBandwidth +
                  +
                  + DeliveryOptimization/DOPercentageMaxForegroundBandwidth +
                  +
                  + DeliveryOptimization/DORestrictPeerSelectionBy +
                  +
                  + DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth +
                  +
                  + DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth +
                  +
                  + +### Desktop policies + +
                  +
                  + Desktop/PreventUserRedirectionOfProfileFolders +
                  +
                  + +### DeviceGuard policies + +
                  +
                  + DeviceGuard/EnableSystemGuard +
                  +
                  + DeviceGuard/EnableVirtualizationBasedSecurity +
                  +
                  + DeviceGuard/LsaCfgFlags +
                  +
                  + DeviceGuard/RequirePlatformSecurityFeatures +
                  +
                  + +### DeviceInstallation policies + +
                  +
                  + DeviceInstallation/AllowInstallationOfMatchingDeviceIDs +
                  +
                  + DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses +
                  +
                  + DeviceInstallation/PreventDeviceMetadataFromNetwork +
                  +
                  + DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings +
                  +
                  + DeviceInstallation/PreventInstallationOfMatchingDeviceIDs +
                  +
                  + DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses +
                  +
                  + +### DeviceLock policies + +
                  +
                  + DeviceLock/AllowIdleReturnWithoutPassword +
                  +
                  + DeviceLock/AllowScreenTimeoutWhileLockedUserConfig +
                  +
                  + DeviceLock/AllowSimpleDevicePassword +
                  +
                  + DeviceLock/AlphanumericDevicePasswordRequired +
                  +
                  + DeviceLock/DevicePasswordEnabled +
                  +
                  + DeviceLock/DevicePasswordExpiration +
                  +
                  + DeviceLock/DevicePasswordHistory +
                  +
                  + DeviceLock/EnforceLockScreenAndLogonImage +
                  +
                  + DeviceLock/EnforceLockScreenProvider +
                  +
                  + DeviceLock/MaxDevicePasswordFailedAttempts +
                  +
                  + DeviceLock/MaxInactivityTimeDeviceLock +
                  +
                  + DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay +
                  +
                  + DeviceLock/MinDevicePasswordComplexCharacters +
                  +
                  + DeviceLock/MinDevicePasswordLength +
                  +
                  + DeviceLock/MinimumPasswordAge +
                  +
                  + DeviceLock/PreventEnablingLockScreenCamera +
                  +
                  + DeviceLock/PreventLockScreenSlideShow +
                  +
                  + DeviceLock/ScreenTimeoutWhileLocked +
                  +
                  + +### Display policies + +
                  +
                  + Display/DisablePerProcessDpiForApps +
                  +
                  + Display/EnablePerProcessDpi +
                  +
                  + Display/EnablePerProcessDpiForApps +
                  +
                  + Display/TurnOffGdiDPIScalingForApps +
                  +
                  + Display/TurnOnGdiDPIScalingForApps +
                  +
                  + +### DmaGuard policies + +
                  +
                  + DmaGuard/DeviceEnumerationPolicy +
                  +
                  + +### Education policies + +
                  +
                  + Education/DefaultPrinterName +
                  +
                  + Education/PreventAddingNewPrinters +
                  +
                  + Education/PrinterNames +
                  +
                  + +### EnterpriseCloudPrint policies + +
                  +
                  + EnterpriseCloudPrint/CloudPrintOAuthAuthority +
                  +
                  + EnterpriseCloudPrint/CloudPrintOAuthClientId +
                  +
                  + EnterpriseCloudPrint/CloudPrintResourceId +
                  +
                  + EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint +
                  +
                  + EnterpriseCloudPrint/DiscoveryMaxPrinterLimit +
                  +
                  + EnterpriseCloudPrint/MopriaDiscoveryResourceId +
                  +
                  + +### ErrorReporting policies + +
                  +
                  + ErrorReporting/CustomizeConsentSettings +
                  +
                  + ErrorReporting/DisableWindowsErrorReporting +
                  +
                  + ErrorReporting/DisplayErrorNotification +
                  +
                  + ErrorReporting/DoNotSendAdditionalData +
                  +
                  + ErrorReporting/PreventCriticalErrorDisplay +
                  +
                  + +### EventLogService policies + +
                  +
                  + EventLogService/ControlEventLogBehavior +
                  +
                  + EventLogService/SpecifyMaximumFileSizeApplicationLog +
                  +
                  + EventLogService/SpecifyMaximumFileSizeSecurityLog +
                  +
                  + EventLogService/SpecifyMaximumFileSizeSystemLog +
                  +
                  + +### Experience policies + +
                  +
                  + Experience/AllowClipboardHistory +
                  +
                  + Experience/AllowCopyPaste +
                  +
                  + Experience/AllowCortana +
                  +
                  + Experience/AllowDeviceDiscovery +
                  +
                  + Experience/AllowFindMyDevice +
                  +
                  + Experience/AllowManualMDMUnenrollment +
                  +
                  + Experience/AllowSIMErrorDialogPromptWhenNoSIM +
                  +
                  + Experience/AllowSaveAsOfOfficeFiles +
                  +
                  + Experience/AllowScreenCapture +
                  +
                  + Experience/AllowSharingOfOfficeFiles +
                  +
                  + Experience/AllowSyncMySettings +
                  +
                  + Experience/AllowTailoredExperiencesWithDiagnosticData +
                  +
                  + Experience/AllowTaskSwitcher +
                  +
                  + Experience/AllowThirdPartySuggestionsInWindowsSpotlight +
                  +
                  + Experience/AllowVoiceRecording +
                  +
                  + Experience/AllowWindowsConsumerFeatures +
                  +
                  + Experience/AllowWindowsSpotlight +
                  +
                  + Experience/AllowWindowsSpotlightOnActionCenter +
                  +
                  + Experience/AllowWindowsSpotlightOnSettings +
                  +
                  + Experience/AllowWindowsSpotlightWindowsWelcomeExperience +
                  +
                  + Experience/AllowWindowsTips +
                  +
                  + Experience/ConfigureWindowsSpotlightOnLockScreen +
                  +
                  + Experience/DoNotShowFeedbackNotifications +
                  +
                  + Experience/DoNotSyncBrowserSettings +
                  +
                  + Experience/PreventUsersFromTurningOnBrowserSyncing +
                  +
                  + +### ExploitGuard policies + +
                  +
                  + ExploitGuard/ExploitProtectionSettings +
                  +
                  + +### FileExplorer policies + +
                  +
                  + FileExplorer/TurnOffDataExecutionPreventionForExplorer +
                  +
                  + FileExplorer/TurnOffHeapTerminationOnCorruption +
                  +
                  + +### Games policies + +
                  +
                  + Games/AllowAdvancedGamingServices +
                  +
                  + +### Handwriting policies + +
                  +
                  + Handwriting/PanelDefaultModeDocked +
                  +
                  + +### InternetExplorer policies + +
                  +
                  + InternetExplorer/AddSearchProvider +
                  +
                  + InternetExplorer/AllowActiveXFiltering +
                  +
                  + InternetExplorer/AllowAddOnList +
                  +
                  + InternetExplorer/AllowAutoComplete +
                  +
                  + InternetExplorer/AllowCertificateAddressMismatchWarning +
                  +
                  + InternetExplorer/AllowDeletingBrowsingHistoryOnExit +
                  +
                  + InternetExplorer/AllowEnhancedProtectedMode +
                  +
                  + InternetExplorer/AllowEnterpriseModeFromToolsMenu +
                  +
                  + InternetExplorer/AllowEnterpriseModeSiteList +
                  +
                  + InternetExplorer/AllowFallbackToSSL3 +
                  +
                  + InternetExplorer/AllowInternetExplorer7PolicyList +
                  +
                  + InternetExplorer/AllowInternetExplorerStandardsMode +
                  +
                  + InternetExplorer/AllowInternetZoneTemplate +
                  +
                  + InternetExplorer/AllowIntranetZoneTemplate +
                  +
                  + InternetExplorer/AllowLocalMachineZoneTemplate +
                  +
                  + InternetExplorer/AllowLockedDownInternetZoneTemplate +
                  +
                  + InternetExplorer/AllowLockedDownIntranetZoneTemplate +
                  +
                  + InternetExplorer/AllowLockedDownLocalMachineZoneTemplate +
                  +
                  + InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate +
                  +
                  + InternetExplorer/AllowOneWordEntry +
                  +
                  + InternetExplorer/AllowSiteToZoneAssignmentList +
                  +
                  + InternetExplorer/AllowSoftwareWhenSignatureIsInvalid +
                  +
                  + InternetExplorer/AllowSuggestedSites +
                  +
                  + InternetExplorer/AllowTrustedSitesZoneTemplate +
                  +
                  + InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate +
                  +
                  + InternetExplorer/AllowsRestrictedSitesZoneTemplate +
                  +
                  + InternetExplorer/CheckServerCertificateRevocation +
                  +
                  + InternetExplorer/CheckSignaturesOnDownloadedPrograms +
                  +
                  + InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses +
                  +
                  + InternetExplorer/DisableAdobeFlash +
                  +
                  + InternetExplorer/DisableBypassOfSmartScreenWarnings +
                  +
                  + InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles +
                  +
                  + InternetExplorer/DisableConfiguringHistory +
                  +
                  + InternetExplorer/DisableCrashDetection +
                  +
                  + InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation +
                  +
                  + InternetExplorer/DisableDeletingUserVisitedWebsites +
                  +
                  + InternetExplorer/DisableEnclosureDownloading +
                  +
                  + InternetExplorer/DisableEncryptionSupport +
                  +
                  + InternetExplorer/DisableFirstRunWizard +
                  +
                  + InternetExplorer/DisableFlipAheadFeature +
                  +
                  + InternetExplorer/DisableHomePageChange +
                  +
                  + InternetExplorer/DisableIgnoringCertificateErrors +
                  +
                  + InternetExplorer/DisableInPrivateBrowsing +
                  +
                  + InternetExplorer/DisableProcessesInEnhancedProtectedMode +
                  +
                  + InternetExplorer/DisableProxyChange +
                  +
                  + InternetExplorer/DisableSearchProviderChange +
                  +
                  + InternetExplorer/DisableSecondaryHomePageChange +
                  +
                  + InternetExplorer/DisableSecuritySettingsCheck +
                  +
                  + InternetExplorer/DisableUpdateCheck +
                  +
                  + InternetExplorer/DoNotAllowActiveXControlsInProtectedMode +
                  +
                  + InternetExplorer/DoNotAllowUsersToAddSites +
                  +
                  + InternetExplorer/DoNotAllowUsersToChangePolicies +
                  +
                  + InternetExplorer/DoNotBlockOutdatedActiveXControls +
                  +
                  + InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains +
                  +
                  + InternetExplorer/IncludeAllLocalSites +
                  +
                  + InternetExplorer/IncludeAllNetworkPaths +
                  +
                  + InternetExplorer/InternetZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/InternetZoneAllowCopyPasteViaScript +
                  +
                  + InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles +
                  +
                  + InternetExplorer/InternetZoneAllowFontDownloads +
                  +
                  + InternetExplorer/InternetZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles +
                  +
                  + InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls +
                  +
                  + InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +
                  +
                  + InternetExplorer/InternetZoneAllowScriptInitiatedWindows +
                  +
                  + InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls +
                  +
                  + InternetExplorer/InternetZoneAllowScriptlets +
                  +
                  + InternetExplorer/InternetZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript +
                  +
                  + InternetExplorer/InternetZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer +
                  +
                  + InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls +
                  +
                  + InternetExplorer/InternetZoneDownloadSignedActiveXControls +
                  +
                  + InternetExplorer/InternetZoneDownloadUnsignedActiveXControls +
                  +
                  + InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter +
                  +
                  + InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +
                  +
                  + InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +
                  +
                  + InternetExplorer/InternetZoneEnableMIMESniffing +
                  +
                  + InternetExplorer/InternetZoneEnableProtectedMode +
                  +
                  + InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer +
                  +
                  + InternetExplorer/InternetZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe +
                  +
                  + InternetExplorer/InternetZoneJavaPermissions +
                  +
                  + InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME +
                  +
                  + InternetExplorer/InternetZoneLogonOptions +
                  +
                  + InternetExplorer/InternetZoneNavigateWindowsAndFrames +
                  +
                  + InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +
                  +
                  + InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles +
                  +
                  + InternetExplorer/InternetZoneUsePopupBlocker +
                  +
                  + InternetExplorer/IntranetZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/IntranetZoneAllowFontDownloads +
                  +
                  + InternetExplorer/IntranetZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/IntranetZoneAllowScriptlets +
                  +
                  + InternetExplorer/IntranetZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/IntranetZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls +
                  +
                  + InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/IntranetZoneJavaPermissions +
                  +
                  + InternetExplorer/IntranetZoneNavigateWindowsAndFrames +
                  +
                  + InternetExplorer/LocalMachineZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/LocalMachineZoneAllowFontDownloads +
                  +
                  + InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/LocalMachineZoneAllowScriptlets +
                  +
                  + InternetExplorer/LocalMachineZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/LocalMachineZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls +
                  +
                  + InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/LocalMachineZoneJavaPermissions +
                  +
                  + InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames +
                  +
                  + InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/LockedDownInternetZoneAllowFontDownloads +
                  +
                  + InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/LockedDownInternetZoneAllowScriptlets +
                  +
                  + InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/LockedDownInternetZoneJavaPermissions +
                  +
                  + InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames +
                  +
                  + InternetExplorer/LockedDownIntranetJavaPermissions +
                  +
                  + InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/LockedDownIntranetZoneAllowFontDownloads +
                  +
                  + InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/LockedDownIntranetZoneAllowScriptlets +
                  +
                  + InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneJavaPermissions +
                  +
                  + InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions +
                  +
                  + InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions +
                  +
                  + InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames +
                  +
                  + InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses +
                  +
                  + InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses +
                  +
                  + InternetExplorer/NotificationBarInternetExplorerProcesses +
                  +
                  + InternetExplorer/PreventManagingSmartScreenFilter +
                  +
                  + InternetExplorer/PreventPerUserInstallationOfActiveXControls +
                  +
                  + InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses +
                  +
                  + InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls +
                  +
                  + InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses +
                  +
                  + InternetExplorer/RestrictFileDownloadInternetExplorerProcesses +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowActiveScripting +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowFileDownloads +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowFontDownloads +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowScriptlets +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer +
                  +
                  + InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +
                  +
                  + InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls +
                  +
                  + InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls +
                  +
                  + InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter +
                  +
                  + InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +
                  +
                  + InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +
                  +
                  + InternetExplorer/RestrictedSitesZoneEnableMIMESniffing +
                  +
                  + InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer +
                  +
                  + InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/RestrictedSitesZoneJavaPermissions +
                  +
                  + InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME +
                  +
                  + InternetExplorer/RestrictedSitesZoneLogonOptions +
                  +
                  + InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames +
                  +
                  + InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins +
                  +
                  + InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +
                  +
                  + InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting +
                  +
                  + InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets +
                  +
                  + InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles +
                  +
                  + InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode +
                  +
                  + InternetExplorer/RestrictedSitesZoneUsePopupBlocker +
                  +
                  + InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses +
                  +
                  + InternetExplorer/SearchProviderList +
                  +
                  + InternetExplorer/SecurityZonesUseOnlyMachineSettings +
                  +
                  + InternetExplorer/SpecifyUseOfActiveXInstallerService +
                  +
                  + InternetExplorer/TrustedSitesZoneAllowAccessToDataSources +
                  +
                  + InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls +
                  +
                  + InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads +
                  +
                  + InternetExplorer/TrustedSitesZoneAllowFontDownloads +
                  +
                  + InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites +
                  +
                  + InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents +
                  +
                  + InternetExplorer/TrustedSitesZoneAllowScriptlets +
                  +
                  + InternetExplorer/TrustedSitesZoneAllowSmartScreenIE +
                  +
                  + InternetExplorer/TrustedSitesZoneAllowUserDataPersistence +
                  +
                  + InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +
                  +
                  + InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls +
                  +
                  + InternetExplorer/TrustedSitesZoneJavaPermissions +
                  +
                  + InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames +
                  +
                  + +### Kerberos policies + +
                  +
                  + Kerberos/AllowForestSearchOrder +
                  +
                  + Kerberos/KerberosClientSupportsClaimsCompoundArmor +
                  +
                  + Kerberos/RequireKerberosArmoring +
                  +
                  + Kerberos/RequireStrictKDCValidation +
                  +
                  + Kerberos/SetMaximumContextTokenSize +
                  +
                  + +### KioskBrowser policies + +
                  +
                  + KioskBrowser/BlockedUrlExceptions +
                  +
                  + KioskBrowser/BlockedUrls +
                  +
                  + KioskBrowser/DefaultURL +
                  +
                  + KioskBrowser/EnableEndSessionButton +
                  +
                  + KioskBrowser/EnableHomeButton +
                  +
                  + KioskBrowser/EnableNavigationButtons +
                  +
                  + KioskBrowser/RestartOnIdleTime +
                  +
                  + +### LanmanWorkstation policies + +
                  +
                  + LanmanWorkstation/EnableInsecureGuestLogons +
                  +
                  + +### Licensing policies + +
                  +
                  + Licensing/AllowWindowsEntitlementReactivation +
                  +
                  + Licensing/DisallowKMSClientOnlineAVSValidation +
                  +
                  + +### LocalPoliciesSecurityOptions policies + +
                  +
                  + LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts +
                  +
                  + LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus +
                  +
                  + LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus +
                  +
                  + LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly +
                  +
                  + LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount +
                  +
                  + LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount +
                  +
                  + LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon +
                  +
                  + LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia +
                  +
                  + LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters +
                  +
                  + LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly +
                  +
                  + LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways +
                  +
                  + LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible +
                  +
                  + LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges +
                  +
                  + LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked +
                  +
                  + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn +
                  +
                  + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn +
                  +
                  + LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL +
                  +
                  + LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit +
                  +
                  + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn +
                  +
                  + LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn +
                  +
                  + LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior +
                  +
                  + LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways +
                  +
                  + LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees +
                  +
                  + LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers +
                  +
                  + LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession +
                  +
                  + LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways +
                  +
                  + LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees +
                  +
                  + LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts +
                  +
                  + LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares +
                  +
                  + LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares +
                  +
                  + LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic +
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers +
                  +
                  + LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon +
                  +
                  + LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn +
                  +
                  + LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile +
                  +
                  + LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode +
                  +
                  + LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations +
                  +
                  + +### Location policies + +
                  +
                  + Location/EnableLocation +
                  +
                  + +### LockDown policies + +
                  +
                  + LockDown/AllowEdgeSwipe +
                  +
                  + +### Maps policies + +
                  +
                  + Maps/AllowOfflineMapsDownloadOverMeteredConnection +
                  +
                  + Maps/EnableOfflineMapsAutoUpdate +
                  +
                  + +### Messaging policies + +
                  +
                  + Messaging/AllowMMS +
                  +
                  + Messaging/AllowMessageSync +
                  +
                  + Messaging/AllowRCS +
                  +
                  + +### MSSecurityGuide policies + +
                  +
                  + MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon +
                  +
                  + MSSecurityGuide/ConfigureSMBV1ClientDriver +
                  +
                  + MSSecurityGuide/ConfigureSMBV1Server +
                  +
                  + MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection +
                  +
                  + MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications +
                  +
                  + MSSecurityGuide/WDigestAuthentication +
                  +
                  + +### MSSLegacy policies + +
                  +
                  + MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes +
                  +
                  + MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers +
                  +
                  + MSSLegacy/IPSourceRoutingProtectionLevel +
                  +
                  + MSSLegacy/IPv6SourceRoutingProtectionLevel +
                  +
                  + +### NetworkIsolation policies + +
                  +
                  + NetworkIsolation/EnterpriseCloudResources +
                  +
                  + NetworkIsolation/EnterpriseIPRange +
                  +
                  + NetworkIsolation/EnterpriseIPRangesAreAuthoritative +
                  +
                  + NetworkIsolation/EnterpriseInternalProxyServers +
                  +
                  + NetworkIsolation/EnterpriseNetworkDomainNames +
                  +
                  + NetworkIsolation/EnterpriseProxyServers +
                  +
                  + NetworkIsolation/EnterpriseProxyServersAreAuthoritative +
                  +
                  + NetworkIsolation/NeutralResources +
                  +
                  + +### Notifications policies + +
                  +
                  + Notifications/DisallowCloudNotification +
                  +
                  + Notifications/DisallowNotificationMirroring +
                  +
                  + Notifications/DisallowTileNotification +
                  +
                  + +### Power policies + +
                  +
                  + Power/AllowStandbyStatesWhenSleepingOnBattery +
                  +
                  + Power/AllowStandbyWhenSleepingPluggedIn +
                  +
                  + Power/DisplayOffTimeoutOnBattery +
                  +
                  + Power/DisplayOffTimeoutPluggedIn +
                  +
                  + Power/HibernateTimeoutOnBattery +
                  +
                  + Power/HibernateTimeoutPluggedIn +
                  +
                  + Power/RequirePasswordWhenComputerWakesOnBattery +
                  +
                  + Power/RequirePasswordWhenComputerWakesPluggedIn +
                  +
                  + Power/StandbyTimeoutOnBattery +
                  +
                  + Power/StandbyTimeoutPluggedIn +
                  +
                  + +### Printers policies + +
                  +
                  + Printers/PointAndPrintRestrictions +
                  +
                  + Printers/PointAndPrintRestrictions_User +
                  +
                  + Printers/PublishPrinters +
                  +
                  + +### Privacy policies + +
                  +
                  + Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts +
                  +
                  + Privacy/AllowCrossDeviceClipboard +
                  +
                  + Privacy/AllowInputPersonalization +
                  +
                  + Privacy/DisableAdvertisingId +
                  +
                  + Privacy/EnableActivityFeed +
                  +
                  + Privacy/LetAppsAccessAccountInfo +
                  +
                  + Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessCalendar +
                  +
                  + Privacy/LetAppsAccessCalendar_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessCalendar_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessCallHistory +
                  +
                  + Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessCamera +
                  +
                  + Privacy/LetAppsAccessCamera_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessCamera_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessCamera_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessContacts +
                  +
                  + Privacy/LetAppsAccessContacts_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessContacts_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessContacts_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessEmail +
                  +
                  + Privacy/LetAppsAccessEmail_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessEmail_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessEmail_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessGazeInput +
                  +
                  + Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessLocation +
                  +
                  + Privacy/LetAppsAccessLocation_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessLocation_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessLocation_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessMessaging +
                  +
                  + Privacy/LetAppsAccessMessaging_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessMessaging_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessMicrophone +
                  +
                  + Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessMotion +
                  +
                  + Privacy/LetAppsAccessMotion_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessMotion_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessMotion_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessNotifications +
                  +
                  + Privacy/LetAppsAccessNotifications_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessNotifications_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessPhone +
                  +
                  + Privacy/LetAppsAccessPhone_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessPhone_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessPhone_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessRadios +
                  +
                  + Privacy/LetAppsAccessRadios_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessRadios_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessRadios_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessTasks +
                  +
                  + Privacy/LetAppsAccessTasks_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessTasks_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessTasks_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsAccessTrustedDevices +
                  +
                  + Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsGetDiagnosticInfo +
                  +
                  + Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsRunInBackground +
                  +
                  + Privacy/LetAppsRunInBackground_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsRunInBackground_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsRunInBackground_UserInControlOfTheseApps +
                  +
                  + Privacy/LetAppsSyncWithDevices +
                  +
                  + Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps +
                  +
                  + Privacy/PublishUserActivities +
                  +
                  + Privacy/UploadUserActivities +
                  +
                  + +### RemoteAssistance policies + +
                  +
                  + RemoteAssistance/CustomizeWarningMessages +
                  +
                  + RemoteAssistance/SessionLogging +
                  +
                  + RemoteAssistance/SolicitedRemoteAssistance +
                  +
                  + RemoteAssistance/UnsolicitedRemoteAssistance +
                  +
                  + +### RemoteDesktopServices policies + +
                  +
                  + RemoteDesktopServices/AllowUsersToConnectRemotely +
                  +
                  + RemoteDesktopServices/ClientConnectionEncryptionLevel +
                  +
                  + RemoteDesktopServices/DoNotAllowDriveRedirection +
                  +
                  + RemoteDesktopServices/DoNotAllowPasswordSaving +
                  +
                  + RemoteDesktopServices/PromptForPasswordUponConnection +
                  +
                  + RemoteDesktopServices/RequireSecureRPCCommunication +
                  +
                  + +### RemoteManagement policies + +
                  +
                  + RemoteManagement/AllowBasicAuthentication_Client +
                  +
                  + RemoteManagement/AllowBasicAuthentication_Service +
                  +
                  + RemoteManagement/AllowCredSSPAuthenticationClient +
                  +
                  + RemoteManagement/AllowCredSSPAuthenticationService +
                  +
                  + RemoteManagement/AllowRemoteServerManagement +
                  +
                  + RemoteManagement/AllowUnencryptedTraffic_Client +
                  +
                  + RemoteManagement/AllowUnencryptedTraffic_Service +
                  +
                  + RemoteManagement/DisallowDigestAuthentication +
                  +
                  + RemoteManagement/DisallowNegotiateAuthenticationClient +
                  +
                  + RemoteManagement/DisallowNegotiateAuthenticationService +
                  +
                  + RemoteManagement/DisallowStoringOfRunAsCredentials +
                  +
                  + RemoteManagement/SpecifyChannelBindingTokenHardeningLevel +
                  +
                  + RemoteManagement/TrustedHosts +
                  +
                  + RemoteManagement/TurnOnCompatibilityHTTPListener +
                  +
                  + RemoteManagement/TurnOnCompatibilityHTTPSListener +
                  +
                  + +### RemoteProcedureCall policies + +
                  +
                  + RemoteProcedureCall/RPCEndpointMapperClientAuthentication +
                  +
                  + RemoteProcedureCall/RestrictUnauthenticatedRPCClients +
                  +
                  + +### RemoteShell policies + +
                  +
                  + RemoteShell/AllowRemoteShellAccess +
                  +
                  + RemoteShell/MaxConcurrentUsers +
                  +
                  + RemoteShell/SpecifyIdleTimeout +
                  +
                  + RemoteShell/SpecifyMaxMemory +
                  +
                  + RemoteShell/SpecifyMaxProcesses +
                  +
                  + RemoteShell/SpecifyMaxRemoteShells +
                  +
                  + RemoteShell/SpecifyShellTimeout +
                  +
                  + +### RestrictedGroups policies + +
                  +
                  + RestrictedGroups/ConfigureGroupMembership +
                  +
                  + +### Search policies + +
                  +
                  + Search/AllowCloudSearch +
                  +
                  + Search/AllowCortanaInAAD +
                  +
                  + Search/AllowIndexingEncryptedStoresOrItems +
                  +
                  + Search/AllowSearchToUseLocation +
                  +
                  + Search/AllowStoringImagesFromVisionSearch +
                  +
                  + Search/AllowUsingDiacritics +
                  +
                  + Search/AllowWindowsIndexer +
                  +
                  + Search/AlwaysUseAutoLangDetection +
                  +
                  + Search/DisableBackoff +
                  +
                  + Search/DisableRemovableDriveIndexing +
                  +
                  + Search/DoNotUseWebResults +
                  +
                  + Search/PreventIndexingLowDiskSpaceMB +
                  +
                  + Search/PreventRemoteQueries +
                  +
                  + Search/SafeSearchPermissions +
                  +
                  + +### Security policies + +
                  +
                  + Security/AllowAddProvisioningPackage +
                  +
                  + Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices +
                  +
                  + Security/AllowManualRootCertificateInstallation +
                  +
                  + Security/AllowRemoveProvisioningPackage +
                  +
                  + Security/AntiTheftMode +
                  +
                  + Security/ClearTPMIfNotReady +
                  +
                  + Security/ConfigureWindowsPasswords +
                  +
                  + Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices +
                  +
                  + Security/RecoveryEnvironmentAuthentication +
                  +
                  + Security/RequireDeviceEncryption +
                  +
                  + Security/RequireProvisioningPackageSignature +
                  +
                  + Security/RequireRetrieveHealthCertificateOnBoot +
                  +
                  + +### Settings policies + +
                  +
                  + Settings/AllowAutoPlay +
                  +
                  + Settings/AllowDataSense +
                  +
                  + Settings/AllowDateTime +
                  +
                  + Settings/AllowEditDeviceName +
                  +
                  + Settings/AllowLanguage +
                  +
                  + Settings/AllowOnlineTips +
                  +
                  + Settings/AllowPowerSleep +
                  +
                  + Settings/AllowRegion +
                  +
                  + Settings/AllowSignInOptions +
                  +
                  + Settings/AllowVPN +
                  +
                  + Settings/AllowWorkplace +
                  +
                  + Settings/AllowYourAccount +
                  +
                  + Settings/ConfigureTaskbarCalendar +
                  +
                  + Settings/PageVisibilityList +
                  +
                  + +### SmartScreen policies + +
                  +
                  + SmartScreen/EnableAppInstallControl +
                  +
                  + SmartScreen/EnableSmartScreenInShell +
                  +
                  + SmartScreen/PreventOverrideForFilesInShell +
                  +
                  + +### Speech policies + +
                  +
                  + Speech/AllowSpeechModelUpdate +
                  +
                  + +### Start policies + +
                  +
                  + Start/AllowPinnedFolderDocuments +
                  +
                  + Start/AllowPinnedFolderDownloads +
                  +
                  + Start/AllowPinnedFolderFileExplorer +
                  +
                  + Start/AllowPinnedFolderHomeGroup +
                  +
                  + Start/AllowPinnedFolderMusic +
                  +
                  + Start/AllowPinnedFolderNetwork +
                  +
                  + Start/AllowPinnedFolderPersonalFolder +
                  +
                  + Start/AllowPinnedFolderPictures +
                  +
                  + Start/AllowPinnedFolderSettings +
                  +
                  + Start/AllowPinnedFolderVideos +
                  +
                  + Start/ForceStartSize +
                  +
                  + Start/HideAppList +
                  +
                  + Start/HideChangeAccountSettings +
                  +
                  + Start/HideFrequentlyUsedApps +
                  +
                  + Start/HideHibernate +
                  +
                  + Start/HideLock +
                  +
                  + Start/HidePeopleBar +
                  +
                  + Start/HidePowerButton +
                  +
                  + Start/HideRecentJumplists +
                  +
                  + Start/HideRecentlyAddedApps +
                  +
                  + Start/HideRestart +
                  +
                  + Start/HideShutDown +
                  +
                  + Start/HideSignOut +
                  +
                  + Start/HideSleep +
                  +
                  + Start/HideSwitchAccount +
                  +
                  + Start/HideUserTile +
                  +
                  + Start/ImportEdgeAssets +
                  +
                  + Start/NoPinningToTaskbar +
                  +
                  + Start/StartLayout +
                  +
                  + +### Storage policies + +
                  +
                  + Storage/AllowDiskHealthModelUpdates +
                  +
                  + Storage/EnhancedStorageDevices +
                  +
                  + +### System policies + +
                  +
                  + System/AllowBuildPreview +
                  +
                  + System/AllowEmbeddedMode +
                  +
                  + System/AllowExperimentation +
                  +
                  + System/AllowFontProviders +
                  +
                  + System/AllowLocation +
                  +
                  + System/AllowStorageCard +
                  +
                  + System/AllowTelemetry +
                  +
                  + System/AllowUserToResetPhone +
                  +
                  + System/BootStartDriverInitialization +
                  +
                  + System/ConfigureTelemetryOptInChangeNotification +
                  +
                  + System/ConfigureTelemetryOptInSettingsUx +
                  +
                  + System/DisableEnterpriseAuthProxy +
                  +
                  + System/DisableOneDriveFileSync +
                  +
                  + System/DisableSystemRestore +
                  +
                  + System/FeedbackHubAlwaysSaveDiagnosticsLocally +
                  +
                  + System/LimitEnhancedDiagnosticDataWindowsAnalytics +
                  +
                  + System/TelemetryProxy +
                  +
                  + +### SystemServices policies + +
                  +
                  + SystemServices/ConfigureHomeGroupListenerServiceStartupMode +
                  +
                  + SystemServices/ConfigureHomeGroupProviderServiceStartupMode +
                  +
                  + SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode +
                  +
                  + SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode +
                  +
                  + SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode +
                  +
                  + SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode +
                  +
                  + +### TaskManager policies + +
                  +
                  + TaskManager/AllowEndTask +
                  +
                  + +### TaskScheduler policies + +
                  +
                  + TaskScheduler/EnableXboxGameSaveTask +
                  +
                  + +### TextInput policies + +
                  +
                  + TextInput/AllowHardwareKeyboardTextSuggestions +
                  +
                  + TextInput/AllowIMELogging +
                  +
                  + TextInput/AllowIMENetworkAccess +
                  +
                  + TextInput/AllowInputPanel +
                  +
                  + TextInput/AllowJapaneseIMESurrogatePairCharacters +
                  +
                  + TextInput/AllowJapaneseIVSCharacters +
                  +
                  + TextInput/AllowJapaneseNonPublishingStandardGlyph +
                  +
                  + TextInput/AllowJapaneseUserDictionary +
                  +
                  + TextInput/AllowKeyboardTextSuggestions +
                  +
                  + TextInput/AllowKoreanExtendedHanja +
                  +
                  + TextInput/AllowLanguageFeaturesUninstall +
                  +
                  + TextInput/AllowLinguisticDataCollection +
                  +
                  + TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode +
                  +
                  + TextInput/ExcludeJapaneseIMEExceptJIS0208 +
                  +
                  + TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC +
                  +
                  + TextInput/ExcludeJapaneseIMEExceptShiftJIS +
                  +
                  + TextInput/ForceTouchKeyboardDockedState +
                  +
                  + TextInput/TouchKeyboardDictationButtonAvailability +
                  +
                  + TextInput/TouchKeyboardEmojiButtonAvailability +
                  +
                  + TextInput/TouchKeyboardFullModeAvailability +
                  +
                  + TextInput/TouchKeyboardHandwritingModeAvailability +
                  +
                  + TextInput/TouchKeyboardNarrowModeAvailability +
                  +
                  + TextInput/TouchKeyboardSplitModeAvailability +
                  +
                  + TextInput/TouchKeyboardWideModeAvailability +
                  +
                  + +### TimeLanguageSettings policies + +
                  +
                  + TimeLanguageSettings/AllowSet24HourClock +
                  +
                  + +### Update policies + +
                  +
                  + Update/ActiveHoursEnd +
                  +
                  + Update/ActiveHoursMaxRange +
                  +
                  + Update/ActiveHoursStart +
                  +
                  + Update/AllowAutoUpdate +
                  +
                  + Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork +
                  +
                  + Update/AllowMUUpdateService +
                  +
                  + Update/AllowNonMicrosoftSignedUpdate +
                  +
                  + Update/AllowUpdateService +
                  +
                  + Update/AutoRestartDeadlinePeriodInDays +
                  +
                  + Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates +
                  +
                  + Update/AutoRestartNotificationSchedule +
                  +
                  + Update/AutoRestartRequiredNotificationDismissal +
                  +
                  + Update/BranchReadinessLevel +
                  +
                  + Update/ConfigureFeatureUpdateUninstallPeriod +
                  +
                  + Update/DeferFeatureUpdatesPeriodInDays +
                  +
                  + Update/DeferQualityUpdatesPeriodInDays +
                  +
                  + Update/DeferUpdatePeriod +
                  +
                  + Update/DeferUpgradePeriod +
                  +
                  + Update/DetectionFrequency +
                  +
                  + Update/DisableDualScan +
                  +
                  + Update/EngagedRestartDeadline +
                  +
                  + Update/EngagedRestartDeadlineForFeatureUpdates +
                  +
                  + Update/EngagedRestartSnoozeSchedule +
                  +
                  + Update/EngagedRestartSnoozeScheduleForFeatureUpdates +
                  +
                  + Update/EngagedRestartTransitionSchedule +
                  +
                  + Update/EngagedRestartTransitionScheduleForFeatureUpdates +
                  +
                  + Update/ExcludeWUDriversInQualityUpdate +
                  +
                  + Update/FillEmptyContentUrls +
                  +
                  + Update/IgnoreMOAppDownloadLimit +
                  +
                  + Update/IgnoreMOUpdateDownloadLimit +
                  +
                  + Update/ManagePreviewBuilds +
                  +
                  + Update/PauseDeferrals +
                  +
                  + Update/PauseFeatureUpdates +
                  +
                  + Update/PauseFeatureUpdatesStartTime +
                  +
                  + Update/PauseQualityUpdates +
                  +
                  + Update/PauseQualityUpdatesStartTime +
                  +
                  + Update/PhoneUpdateRestrictions +
                  +
                  + Update/RequireDeferUpgrade +
                  +
                  + Update/RequireUpdateApproval +
                  +
                  + Update/ScheduleImminentRestartWarning +
                  +
                  + Update/ScheduleRestartWarning +
                  +
                  + Update/ScheduledInstallDay +
                  +
                  + Update/ScheduledInstallEveryWeek +
                  +
                  + Update/ScheduledInstallFirstWeek +
                  +
                  + Update/ScheduledInstallFourthWeek +
                  +
                  + Update/ScheduledInstallSecondWeek +
                  +
                  + Update/ScheduledInstallThirdWeek +
                  +
                  + Update/ScheduledInstallTime +
                  +
                  + Update/SetAutoRestartNotificationDisable +
                  +
                  + Update/SetDisablePauseUXAccess +
                  +
                  + Update/SetDisableUXWUAccess +
                  +
                  + Update/SetEDURestart +
                  +
                  + Update/UpdateNotificationLevel +
                  +
                  + Update/UpdateServiceUrl +
                  +
                  + Update/UpdateServiceUrlAlternate +
                  +
                  + +### UserRights policies + +
                  +
                  + UserRights/AccessCredentialManagerAsTrustedCaller +
                  +
                  + UserRights/AccessFromNetwork +
                  +
                  + UserRights/ActAsPartOfTheOperatingSystem +
                  +
                  + UserRights/AllowLocalLogOn +
                  +
                  + UserRights/BackupFilesAndDirectories +
                  +
                  + UserRights/ChangeSystemTime +
                  +
                  + UserRights/CreateGlobalObjects +
                  +
                  + UserRights/CreatePageFile +
                  +
                  + UserRights/CreatePermanentSharedObjects +
                  +
                  + UserRights/CreateSymbolicLinks +
                  +
                  + UserRights/CreateToken +
                  +
                  + UserRights/DebugPrograms +
                  +
                  + UserRights/DenyAccessFromNetwork +
                  +
                  + UserRights/DenyLocalLogOn +
                  +
                  + UserRights/DenyRemoteDesktopServicesLogOn +
                  +
                  + UserRights/EnableDelegation +
                  +
                  + UserRights/GenerateSecurityAudits +
                  +
                  + UserRights/ImpersonateClient +
                  +
                  + UserRights/IncreaseSchedulingPriority +
                  +
                  + UserRights/LoadUnloadDeviceDrivers +
                  +
                  + UserRights/LockMemory +
                  +
                  + UserRights/ManageAuditingAndSecurityLog +
                  +
                  + UserRights/ManageVolume +
                  +
                  + UserRights/ModifyFirmwareEnvironment +
                  +
                  + UserRights/ModifyObjectLabel +
                  +
                  + UserRights/ProfileSingleProcess +
                  +
                  + UserRights/RemoteShutdown +
                  +
                  + UserRights/RestoreFilesAndDirectories +
                  +
                  + UserRights/TakeOwnership +
                  +
                  + +### Wifi policies + +
                  +
                  + WiFi/AllowWiFiHotSpotReporting +
                  +
                  + Wifi/AllowAutoConnectToWiFiSenseHotspots +
                  +
                  + Wifi/AllowInternetSharing +
                  +
                  + Wifi/AllowManualWiFiConfiguration +
                  +
                  + Wifi/AllowWiFi +
                  +
                  + Wifi/AllowWiFiDirect +
                  +
                  + Wifi/WLANScanMode +
                  +
                  + +### WindowsConnectionManager policies + +
                  +
                  + WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork +
                  +
                  + +### WindowsDefenderSecurityCenter policies + +
                  +
                  + WindowsDefenderSecurityCenter/CompanyName +
                  +
                  + WindowsDefenderSecurityCenter/DisableAccountProtectionUI +
                  +
                  + WindowsDefenderSecurityCenter/DisableAppBrowserUI +
                  +
                  + WindowsDefenderSecurityCenter/DisableClearTpmButton +
                  +
                  + WindowsDefenderSecurityCenter/DisableDeviceSecurityUI +
                  +
                  + WindowsDefenderSecurityCenter/DisableEnhancedNotifications +
                  +
                  + WindowsDefenderSecurityCenter/DisableFamilyUI +
                  +
                  + WindowsDefenderSecurityCenter/DisableHealthUI +
                  +
                  + WindowsDefenderSecurityCenter/DisableNetworkUI +
                  +
                  + WindowsDefenderSecurityCenter/DisableNotifications +
                  +
                  + WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning +
                  +
                  + WindowsDefenderSecurityCenter/DisableVirusUI +
                  +
                  + WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride +
                  +
                  + WindowsDefenderSecurityCenter/Email +
                  +
                  + WindowsDefenderSecurityCenter/EnableCustomizedToasts +
                  +
                  + WindowsDefenderSecurityCenter/EnableInAppCustomization +
                  +
                  + WindowsDefenderSecurityCenter/HideRansomwareDataRecovery +
                  +
                  + WindowsDefenderSecurityCenter/HideSecureBoot +
                  +
                  + WindowsDefenderSecurityCenter/HideTPMTroubleshooting +
                  +
                  + WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl +
                  +
                  + WindowsDefenderSecurityCenter/Phone +
                  +
                  + WindowsDefenderSecurityCenter/URL +
                  +
                  + +### WindowsInkWorkspace policies + +
                  +
                  + WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace +
                  +
                  + WindowsInkWorkspace/AllowWindowsInkWorkspace +
                  +
                  + +### WindowsLogon policies + +
                  +
                  + WindowsLogon/DisableLockScreenAppNotifications +
                  +
                  + WindowsLogon/DontDisplayNetworkSelectionUI +
                  +
                  + WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers +
                  +
                  + WindowsLogon/HideFastUserSwitching +
                  +
                  + WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart +
                  +
                  + +### WindowsPowerShell policies + +
                  +
                  + WindowsPowerShell/TurnOnPowerShellScriptBlockLogging +
                  +
                  + +### WirelessDisplay policies + +
                  +
                  + WirelessDisplay/AllowMdnsAdvertisement +
                  +
                  + WirelessDisplay/AllowMdnsDiscovery +
                  +
                  + WirelessDisplay/AllowProjectionFromPC +
                  +
                  + WirelessDisplay/AllowProjectionFromPCOverInfrastructure +
                  +
                  + WirelessDisplay/AllowProjectionToPC +
                  +
                  + WirelessDisplay/AllowProjectionToPCOverInfrastructure +
                  +
                  + WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver +
                  +
                  + WirelessDisplay/RequirePinForPairing +
                  +
                  + + +## ADMX-backed policies + +- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) +- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) +- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) +- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) +- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) +- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) +- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) +- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) +- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) +- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) +- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) +- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) +- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) +- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) +- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) +- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) +- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) +- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) +- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) +- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) +- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) +- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) +- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) +- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) +- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) +- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) +- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) +- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) +- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) +- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) +- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) +- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) +- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) +- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) +- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) +- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) +- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) +- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) +- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) +- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) +- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) +- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) +- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) +- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) +- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) +- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) +- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) +- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) +- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) +- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) +- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) +- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) +- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) +- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) +- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) +- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) +- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) +- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) +- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) +- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) +- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) +- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) +- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) +- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) +- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) +- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) +- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) +- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) +- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) +- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) +- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) +- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) +- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) +- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) +- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) +- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) +- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) +- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) +- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) +- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) +- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) +- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) +- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) +- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) +- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) +- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) +- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) +- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) +- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) +- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) +- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) +- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) +- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) +- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) +- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) +- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) +- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) +- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) +- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) +- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) +- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) +- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) +- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) +- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) +- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) +- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) +- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) +- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) +- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) +- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) +- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) +- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) +- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) +- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) +- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) +- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) +- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) +- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) +- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) +- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) +- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) +- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) +- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) +- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) +- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) +- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) +- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) +- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) +- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) +- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) +- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) +- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) +- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) +- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) +- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) +- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) +- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) +- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) +- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) +- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) +- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) +- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) +- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) +- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) +- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) +- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) +- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) +- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) +- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) +- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) +- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) +- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) +- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) +- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) +- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) +- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) +- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) +- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) +- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) +- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) +- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) +- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) +- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) +- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) +- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) +- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) +- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) +- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) +- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) +- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) +- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) +- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) +- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) +- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) +- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) +- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) +- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) +- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) +- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) +- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) +- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) +- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) +- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) +- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) +- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) +- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) +- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) +- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) +- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) +- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) +- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) +- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) +- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) +- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) +- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) +- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) +- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) +- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) +- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) +- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) +- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) +- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) +- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) +- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) +- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) +- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) +- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) +- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) +- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) +- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) +- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) +- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) +- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) +- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) +- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) +- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) +- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) +- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) +- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) +- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) +- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) +- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) +- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) +- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) +- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) +- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) +- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) +- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) +- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) +- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) +- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) +- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) +- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) +- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) +- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) +- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) +- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) +- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) +- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) +- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) +- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) +- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) +- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) +- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) +- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) +- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) +- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) +- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) + + +## Policies supported by GP + +- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock) +- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) +- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) +- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) +- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) +- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) +- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) +- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) +- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) +- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) +- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) +- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) +- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) +- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) +- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) +- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) +- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) +- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) +- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) +- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) +- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) +- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) +- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) +- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) +- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) +- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) +- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) +- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) +- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) +- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) +- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) +- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration) +- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers) +- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr) +- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata) +- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps) +- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall) +- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges) +- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly) +- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume) +- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume) +- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) +- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) +- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) +- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice) +- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) +- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) +- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) +- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime) +- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime) +- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate) +- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority) +- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority) +- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout) +- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown) +- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill) +- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies) +- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools) +- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack) +- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions) +- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash) +- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun) +- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode) +- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate) +- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist) +- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager) +- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch) +- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting) +- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory) +- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization) +- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions) +- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen) +- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading) +- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage) +- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary) +- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit) +- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines) +- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar) +- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton) +- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode) +- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout) +- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith) +- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics) +- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages) +- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry) +- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist) +- [Browser/ForceEnabledExtensions](./policy-csp-browser.md#browser-forceenabledextensions) +- [Browser/HomePages](./policy-csp-browser.md#browser-homepages) +- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites) +- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge) +- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides) +- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage) +- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection) +- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride) +- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles) +- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc) +- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites) +- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer) +- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine) +- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl) +- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl) +- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer) +- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge) +- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton) +- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks) +- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera) +- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata) +- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps) +- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps) +- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps) +- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) +- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming) +- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking) +- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) +- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) +- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) +- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests) +- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) +- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) +- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) +- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) +- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) +- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) +- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) +- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) +- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection) +- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles) +- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess) +- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions) +- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules) +- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor) +- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan) +- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel) +- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout) +- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications) +- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders) +- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware) +- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan) +- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan) +- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess) +- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority) +- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection) +- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions) +- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths) +- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses) +- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection) +- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday) +- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime) +- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder) +- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources) +- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) +- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) +- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) +- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) +- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard) +- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) +- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) +- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) +- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) +- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) +- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps) +- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi) +- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps) +- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps) +- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps) +- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy) +- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters) +- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) +- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) +- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) +- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) +- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) +- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) +- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) +- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) +- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory) +- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana) +- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice) +- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata) +- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight) +- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures) +- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight) +- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter) +- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings) +- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience) +- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) +- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) +- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) +- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting) +- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) +- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) +- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) +- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) +- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) +- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) +- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) +- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) +- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) +- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) +- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) +- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) +- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) +- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) +- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) +- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) +- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) +- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) +- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) +- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) +- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) +- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) +- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) +- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) +- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) +- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) +- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) +- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) +- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) +- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) +- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) +- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) +- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) +- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) +- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) +- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) +- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) +- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) +- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) +- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) +- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) +- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) +- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) +- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) +- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) +- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) +- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) +- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) +- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) +- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) +- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) +- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) +- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) +- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) +- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) +- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) +- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) +- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) +- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) +- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) +- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) +- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) +- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) +- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) +- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) +- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) +- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) +- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) +- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) +- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) +- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) +- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) +- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) +- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) +- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) +- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) +- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) +- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) +- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) +- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) +- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) +- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) +- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) +- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) +- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) +- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) +- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) +- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) +- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) +- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) +- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) +- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) +- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) +- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) +- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) +- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) +- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) +- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) +- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) +- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) +- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) +- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) +- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) +- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) +- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) +- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) +- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) +- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) +- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) +- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) +- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) +- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) +- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) +- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) +- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) +- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) +- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) +- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) +- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) +- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) +- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) +- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) +- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) +- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) +- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) +- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) +- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) +- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) +- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) +- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) +- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) +- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) +- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) +- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) +- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) +- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) +- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) +- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) +- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) +- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons) +- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation) +- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation) +- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts) +- [LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus) +- [LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus) +- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly) +- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount) +- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount) +- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon) +- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) +- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) +- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) +- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways) +- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible) +- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel) +- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit) +- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon) +- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon) +- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees) +- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts) +- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares) +- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares) +- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam) +- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm) +- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests) +- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange) +- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel) +- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients) +- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers) +- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) +- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile) +- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation) +- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators) +- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) +- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation) +- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated) +- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations) +- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode) +- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation) +- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode) +- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations) +- [Location/EnableLocation](./policy-csp-location.md#location-enablelocation) +- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe) +- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) +- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) +- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) +- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) +- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) +- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) +- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) +- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) +- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) +- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) +- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate) +- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync) +- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources) +- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange) +- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative) +- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers) +- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers) +- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative) +- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources) +- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification) +- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring) +- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification) +- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) +- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) +- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) +- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) +- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) +- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard) +- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid) +- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed) +- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo) +- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) +- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) +- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) +- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar) +- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps) +- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps) +- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps) +- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory) +- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps) +- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps) +- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps) +- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera) +- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) +- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) +- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) +- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts) +- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps) +- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps) +- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps) +- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail) +- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps) +- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps) +- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps) +- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation) +- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps) +- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps) +- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps) +- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging) +- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps) +- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps) +- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps) +- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone) +- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) +- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) +- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) +- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion) +- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps) +- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps) +- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps) +- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications) +- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps) +- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps) +- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps) +- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone) +- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps) +- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps) +- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps) +- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios) +- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps) +- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps) +- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps) +- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks) +- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps) +- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps) +- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps) +- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices) +- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps) +- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps) +- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps) +- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps) +- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices) +- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps) +- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps) +- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps) +- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities) +- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities) +- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) +- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) +- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) +- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) +- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) +- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) +- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) +- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) +- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) +- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) +- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) +- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) +- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) +- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) +- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) +- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) +- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) +- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) +- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) +- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) +- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) +- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) +- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) +- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) +- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) +- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) +- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) +- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) +- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) +- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) +- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) +- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) +- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) +- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) +- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch) +- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad) +- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems) +- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation) +- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics) +- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection) +- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff) +- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing) +- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults) +- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) +- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) +- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) +- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) +- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) +- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) +- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol) +- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell) +- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell) +- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate) +- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar) +- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps) +- [Start/StartLayout](./policy-csp-start.md#start-startlayout) +- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) +- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) +- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) +- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) +- [System/AllowLocation](./policy-csp-system.md#system-allowlocation) +- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) +- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification) +- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux) +- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) +- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) +- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) +- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics) +- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy) +- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode) +- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode) +- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode) +- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode) +- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode) +- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode) +- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) +- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection) +- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) +- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) +- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) +- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate) +- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork) +- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice) +- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice) +- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays) +- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates) +- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) +- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) +- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) +- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays) +- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod) +- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod) +- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency) +- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan) +- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline) +- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates) +- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule) +- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates) +- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule) +- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates) +- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate) +- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls) +- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds) +- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals) +- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates) +- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime) +- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates) +- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime) +- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade) +- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning) +- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning) +- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday) +- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek) +- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek) +- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek) +- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek) +- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek) +- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime) +- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable) +- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess) +- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess) +- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart) +- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel) +- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl) +- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate) +- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller) +- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork) +- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem) +- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon) +- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories) +- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime) +- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects) +- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile) +- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects) +- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks) +- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken) +- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms) +- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork) +- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon) +- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon) +- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation) +- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits) +- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient) +- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority) +- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers) +- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory) +- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog) +- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume) +- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment) +- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel) +- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess) +- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown) +- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories) +- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing) +- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) +- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname) +- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui) +- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui) +- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton) +- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui) +- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications) +- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui) +- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui) +- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui) +- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications) +- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning) +- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui) +- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride) +- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email) +- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts) +- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization) +- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery) +- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot) +- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting) +- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol) +- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone) +- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) +- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) +- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) +- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) +- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) +- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) +- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart) +- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) +- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) +- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) + + +## Policies supported by Windows Holographic for Business + +- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) +- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +- [Browser/AllowCookies](#browser-allowcookies) +- [Browser/AllowDoNotTrack](#browser-allowdonottrack) +- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) +- [Browser/AllowPopups](#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](#browser-allowsmartscreen) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +- [Experience/AllowCortana](#experience-allowcortana) +- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) +- [Privacy/AllowCrossDeviceClipboard](#privacy-allowcrossdeviceclipboard) +- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) +- [Privacy/LetAppsAccessGazeInput](#privacy-letappsaccessgazeinput) +- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](#privacy-letappsaccessgazeinput-forceallowtheseapps) +- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](#privacy-letappsaccessgazeinput-forcedenytheseapps) +- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](#privacy-letappsaccessgazeinput-userincontroloftheseapps) +- [Privacy/UploadUserActivities](#privacy-uploaduseractivities) +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [Settings/AllowDateTime](#settings-allowdatetime) +- [Settings/AllowVPN](#settings-allowvpn) +- [System/AllowLocation](#system-allowlocation) +- [System/AllowTelemetry](#system-allowtelemetry) +- [Update/AllowAutoUpdate](#update-allowautoupdate) +- [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](#update-requireupdateapproval) +- [Update/UpdateServiceUrl](#update-updateserviceurl) + + + +## Policies that can be set using Exchange Active Sync (EAS) + +- [Browser/AllowBrowser](#browser-allowbrowser) +- [Camera/AllowCamera](#camera-allowcamera) +- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [System/AllowStorageCard](#system-allowstoragecard) +- [System/TelemetryProxy](#system-telemetryproxy) +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) + + +## Examples + +Set the minimum password length to 4 characters. + +``` syntax + + + + $CmdID$ + + + ./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength + + + int + + 4 + + + + + +``` + +Do not allow NFC. + +``` syntax + + + + $CmdID$ + + + ./Vendor/MSFT/Policy/Config/Connectivity/AllowNFC + + + int + + 0 + + + + + +``` + +## Related topics + [Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 16115c79c9..f91a9e7031 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - AboveLock @@ -50,7 +50,7 @@ ms.date: 03/12/2018
                - + @@ -105,7 +105,7 @@ The following list shows the supported values: - + @@ -163,7 +163,7 @@ The following list shows the supported values: - + diff --git a/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md b/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md deleted file mode 100644 index 7cee27e382..0000000000 --- a/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md +++ /dev/null @@ -1,186 +0,0 @@ ---- -title: Policy CSP - AccountPoliciesAccountLockoutPolicy -description: Policy CSP - AccountPoliciesAccountLockoutPolicy -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 ---- - -# Policy CSP - AccountPoliciesAccountLockoutPolicy - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
                - - -## AccountPoliciesAccountLockoutPolicy policies - -
                -
                - AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration -
                -
                - AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold -
                -
                - AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter -
                -
                - - -
                - - -**AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration** - - -

                Added a new CSP in Windows 10, version 1803.

                [MDM Migration Analysis Too (MMAT)](http://aka.ms/mmat)

                Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

                +
                [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)

                Added the DDF download of Windows 10, version 1803 configuration service providers.

                [Policy CSP](policy-configuration-service-provider.md)

                Added the following new policies for Windows 10, version 1803:

                  -
                • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration
                  • -
                • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold
                • Browser/AllowConfigurationUpdateForBooksLibrary
                • Browser/AlwaysEnableBooksLibrary
                • Browser/EnableExtendedBooksTelemetry
                • Browser/UseSharedFolderForBooks
                  • -
                • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter
                • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
                • DeliveryOptimization/DODelayForegroundDownloadFromHttp
                • DeliveryOptimization/DOGroupIdSource
                  • @@ -1881,7 +2219,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
                • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
                • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
                • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
                  • -
                • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
                • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
                • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
                • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
                  • @@ -2131,7 +2468,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
                • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
                • DomainName - fully qualified domain name if the device is domain-joined.
                -

                For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.

                +

                For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

                [EntepriseAPN CSP](enterpriseapn-csp.md)[Mobile device enrollment](mobile-device-enrollment.md)

                Added the following statement:

                  -
                • Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
                  • +
                • Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
                cross mark cross markcross mark cross mark cross mark check mark
                cross mark check mark1check mark1 check mark1 check mark1 check mark1
                cross mark check markcheck mark check mark check mark check mark
                - - - - - - - - - - - - - - - - - - -
                HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                cross markcheck mark4check mark4check mark4check mark4cross markcross mark
                - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                - - - -Added in Windows 10, next major release. This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. - -If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. - -Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - - - - -
                - - -**AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold** - - - - - - - - - - - - - - - - - - - - - -
                HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                cross markcheck mark4check mark4check mark4check mark4cross markcross mark
                - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                - - - -Added in Windows 10, next major release. This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. - -Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. - -Default: 0. - - - - -
                - - -**AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter** - - - - - - - - - - - - - - - - - - - - - -
                HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                cross markcheck mark4check mark4check mark4check mark4cross markcross mark
                - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                - - - -Added in Windows 10, next major release. This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. - -If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. - -Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - - - -
                - -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. - - - diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 5eb439322d..7b0ad06974 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 07/30/2018 --- # Policy CSP - Accounts @@ -53,7 +53,7 @@ ms.date: 03/12/2018 cross mark check mark - + check mark check mark check mark check mark @@ -108,7 +108,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -210,7 +210,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -248,9 +248,4 @@ Footnote: - -## Accounts policies supported by Windows Holographic for Business - -- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) - diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 2563d21bc2..64bdd52d8f 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 02d3d2895e..3961d870d8 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- # Policy CSP - ApplicationDefaults -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                @@ -83,7 +80,7 @@ ADMX Info: -To create create the SyncML, follow these steps: +To create the SyncML, follow these steps:
                1. Install a few apps and change your defaults.
                2. From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
                  3. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 082ad6881d..07794eb48f 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # Policy CSP - ApplicationManagement @@ -45,6 +45,9 @@ ms.date: 04/16/2018
                  ApplicationManagement/DisableStoreOriginatedApps
                  +
                  + ApplicationManagement/LaunchAppAfterLogOn +
                  ApplicationManagement/MSIAllowUserControlOverInstall
                  @@ -60,6 +63,9 @@ ms.date: 04/16/2018
                  ApplicationManagement/RestrictAppToSystemVolume
                  +
                  + ApplicationManagement/ScheduleForceRestartForUpdateFailures +
                  @@ -82,7 +88,7 @@ ms.date: 04/16/2018 check mark check mark - + check mark check mark check mark check mark @@ -143,7 +149,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -204,7 +210,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -265,7 +271,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -328,7 +334,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -388,7 +394,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -440,7 +446,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -505,7 +511,7 @@ Value evaluation rule - The information for PolicyManager is opaque. There is no cross mark cross mark - + cross mark check mark1 check mark1 cross mark @@ -546,6 +552,69 @@ The following list shows the supported values:
                  + +**ApplicationManagement/LaunchAppAfterLogOn** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after logon. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. + +For this policy to work, the Windows apps need to declare in their manifest that they will use the start up task. Example of the declaration here: + +``` syntax + + + +``` + +> [!Note] +> This policy only works on modern apps. + + + + + + + + + + + + + +
                  + **ApplicationManagement/MSIAllowUserControlOverInstall** @@ -563,7 +632,7 @@ The following list shows the supported values: cross mark check mark4 - check mark4 + cross mark check mark4 check mark4 cross mark @@ -626,7 +695,7 @@ This setting supports a range of values between 0 and 1. cross mark check mark4 - check mark4 + cross mark check mark4 check mark4 cross mark @@ -690,7 +759,7 @@ This setting supports a range of values between 0 and 1. cross mark cross mark - + cross mark check mark check mark check mark @@ -752,7 +821,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -812,7 +881,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -852,6 +921,123 @@ The following list shows the supported values: + +
                  + + +**ApplicationManagement/ScheduleForceRestartForUpdateFailures** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcross markcross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied. + +Value type is string. + + + + + +Sample SyncML: + +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures + + + + xml + + + + + + + + +``` +XSD: + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + + + + + +
                  Footnote: @@ -860,20 +1046,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - -## ApplicationManagement policies supported by Windows Holographic for Business - -- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) - - - -## ApplicationManagement policies supported by IoT Core - -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) - - diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 386d22dfe2..5bddec2b4c 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- # Policy CSP - AppRuntime -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 562a5224dc..d3d1e3c5a4 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # Policy CSP - AppVirtualization @@ -124,8 +124,8 @@ ms.date: 03/12/2018 cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -182,8 +182,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -240,8 +240,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -298,8 +298,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -356,8 +356,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -414,8 +414,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -482,8 +482,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -540,8 +540,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -598,8 +598,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -656,8 +656,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -714,8 +714,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -772,8 +772,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -830,8 +830,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -906,8 +906,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -982,8 +982,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1058,8 +1058,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1134,8 +1134,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1210,8 +1210,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1268,8 +1268,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1326,8 +1326,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1384,8 +1384,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1442,8 +1442,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1500,8 +1500,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1558,8 +1558,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1616,8 +1616,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1674,8 +1674,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1732,8 +1732,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark @@ -1790,8 +1790,8 @@ ADMX Info: cross mark - check mark - check mark + cross mark + cross mark check mark check mark cross mark diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 7b97a87a4b..65d3b9a405 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index f83bb3905c..7578533727 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -5,12 +5,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 07/30/2018 --- # Policy CSP - Authentication +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -34,6 +36,15 @@ ms.date: 03/12/2018
                  Authentication/AllowSecondaryAuthenticationDevice
                  +
                  + Authentication/EnableFastFirstSignIn +
                  +
                  + Authentication/EnableWebSignIn +
                  +
                  + Authentication/PreferredAadTenantDomainName +
                  @@ -106,7 +117,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -156,7 +167,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark check mark @@ -262,7 +273,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -283,7 +294,7 @@ The following list shows the supported values: Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. -The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD). +The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD). @@ -302,6 +313,182 @@ The following list shows the supported values: + +
                  + + +**Authentication/EnableFastFirstSignIn** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. + +Value type is integer. Supported values: + +- 0 - (default) The feature defaults to the existing SKU and device capabilities. +- 1 - Enabled. Auto connect new non-admin AZure AD accounts to pre-configured candidate local accounts +- 2 - Disabled. Do not auto connect new non-admin Azure AD accounts to pre-configured local accounts + + + + + + + + + + + + + +
                  + + +**Authentication/EnableWebSignIn** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). + +> [!Note] +> Web Sign-in is only supported on Azure AD Joined PCs. + +Value type is integer. Supported values: + +- 0 - (default) The feature defaults to the existing SKU and device capabilities. +- 1 - Enabled. Web Credential Provider will be enabled for Sign In +- 2 - Disabled. Web Credential Provider will not be enabled for Sign In + + + + + + + + + + + + + +
                  + + +**Authentication/PreferredAadTenantDomainName** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Specifies the preferred domain among available domains in the Azure AD tenant. + +Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", she would then be able to sign in using "abby" in the username field instead of "abby@contoso.com". + + +Value type is string. + + + + + + + + + + + +
                  Footnote: @@ -310,18 +497,6 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - - -## Authentication policies supported by Windows Holographic for Business - -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) - - - -## Authentication policies supported by IoT Core - -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) - - diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index c748e76ae7..efefb6de1e 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index fa358dcb81..55976c06ee 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 06/22/2018 --- # Policy CSP - Bitlocker @@ -44,7 +44,7 @@ ms.date: 03/12/2018 cross mark check mark - + check mark check mark check mark check mark @@ -68,34 +68,6 @@ Specifies the BitLocker Drive Encryption method and cipher strength. > [!NOTE] > XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop. -You can find the following policies in BitLocker CSP: -
                  -
                  - BitLocker/EncryptionMethodByDriveType -
                  -
                  - BitLocker/FixedDrivesRecoveryOptions -
                  -
                  - BitLocker/FixedDrivesRequireEncryption -
                  -
                  - BitLocker/RemovableDrivesRequireEncryption -
                  -
                  - BitLocker/SystemDrivesMinimumPINLength -
                  -
                  - BitLocker/SystemDrivesRecoveryMessage -
                  -
                  - BitLocker/SystemDrivesRecoveryOptions -
                  -
                  - BitLocker/SystemDrivesRequireStartupAuthentication -
                  -
                  - The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md new file mode 100644 index 0000000000..c9fdf5ff82 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -0,0 +1,504 @@ +--- +title: Policy CSP - BITS +description: Policy CSP - BITS +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/29/2018 +--- + +# Policy CSP - BITS + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate. + +- BITS/BandwidthThrottlingEndTime +- BITS/BandwidthThrottlingStartTime +- BITS/BandwidthThrottlingTransferRate + +If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT defined, but BITS/BandwidthThrottlingTransferRate IS defined, then default values will be used for StartTime and EndTime (8am and 5pm respectively). The time policies are based on the 24-hour clock. + +
                  + + +## BITS policies + +
                  +
                  + BITS/BandwidthThrottlingEndTime +
                  +
                  + BITS/BandwidthThrottlingStartTime +
                  +
                  + BITS/BandwidthThrottlingTransferRate +
                  +
                  + BITS/CostedNetworkBehaviorBackgroundPriority +
                  +
                  + BITS/CostedNetworkBehaviorForegroundPriority +
                  +
                  + BITS/JobInactivityTimeout +
                  +
                  + + +
                  + + +**BITS/BandwidthThrottlingEndTime** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5cross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. + +Value type is integer. Default value is 17 (5 pm). + +Supported value range: 0 - 23 + +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. + +Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + +Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth for BITS background transfers* +- GP name: *BITS_MaxBandwidth* +- GP element: *BITS_BandwidthLimitSchedTo* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
                  + + +**BITS/BandwidthThrottlingStartTime** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5cross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy specifies the bandwidth throttling **start time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. + +Value type is integer. Default value is 8 (8 am). + +Supported value range: 0 - 23 + +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. + +Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + +Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth for BITS background transfers* +- GP name: *BITS_MaxBandwidth* +- GP element: *BITS_BandwidthLimitSchedFrom* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
                  + + +**BITS/BandwidthThrottlingTransferRate** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5cross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy specifies the bandwidth throttling **transfer rate** in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. + +Value type is integer. Default value is 1000. + +Supported value range: 0 - 4294967200 + +You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. + +Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. + +Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth for BITS background transfers* +- GP name: *BITS_MaxBandwidth* +- GP element: *BITS_MaxTransferRateText* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
                  + + +**BITS/CostedNetworkBehaviorBackgroundPriority** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5cross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers. + +If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. + +For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: +- 1 - Always transfer +- 2 - Transfer unless roaming +- 3 - Transfer unless surcharge applies (when not roaming or overcap) +- 4 - Transfer unless nearing limit (when not roaming or nearing cap) +- 5 - Transfer only if unconstrained + + + +ADMX Info: +- GP English name: *Set default download behavior for BITS jobs on costed networks* +- GP name: *BITS_SetTransferPolicyOnCostedNetwork* +- GP element: *BITS_TransferPolicyNormalPriorityValue* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
                  + + +**BITS/CostedNetworkBehaviorForegroundPriority** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5cross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of foreground transfers. + +If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. + +For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: +- 1 - Always transfer +- 2 - Transfer unless roaming +- 3 - Transfer unless surcharge applies (when not roaming or overcap) +- 4 - Transfer unless nearing limit (when not roaming or nearing cap) +- 5 - Transfer only if unconstrained + + + +ADMX Info: +- GP English name: *Set default download behavior for BITS jobs on costed networks* +- GP name: *BITS_SetTransferPolicyOnCostedNetwork* +- GP element: *BITS_TransferPolicyForegroundPriorityValue* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + + + + + + + + + + +
                  + + +**BITS/JobInactivityTimeout** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5cross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk. + +> [!Note] +> Any property changes to the job or any successful download action will reset this timeout. + +Value type is integer. Default is 90 days. + +Supported values range: 0 - 999 + +Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. +Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. + +If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. + + + +ADMX Info: +- GP English name: *Timeout for inactive BITS jobs* +- GP name: *BITS_Job_Timeout* +- GP element: *BITS_Job_Timeout_Time* +- GP path: *Network/Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +Value type is integer. Default is 90 days. + +Supported values range: 0 - 999 + + + + + + + + + + +
                  + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 0205e259b0..592beedb9a 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/06/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # Policy CSP - Bluetooth -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -61,7 +59,7 @@ ms.date: 04/06/2018 cross mark check mark - + check mark check mark check mark check mark @@ -115,7 +113,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -169,7 +167,7 @@ The following list shows the supported values: cross mark check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -221,7 +219,7 @@ The following list shows the supported values: check mark4 check mark4 check mark4 - cross mark + check mark4 cross mark cross mark @@ -238,22 +236,16 @@ The following list shows the supported values: -Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Quick Pair and other proximity based scenarios. +Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios. The following list shows the supported values: -- 0 - Disallow. Block users on these managed devices from using Quick Pair and other proximity based scenarios -- 1 - Allow. Allow users on these managed devices to use Quick Pair and other proximity based scenarios +- 0 - Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios +- 1 - Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios - - - - - -
                  @@ -275,7 +267,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -322,7 +314,7 @@ If this policy is not set or it is deleted, the default local radio name is used cross mark check mark - + check mark check mark check mark check mark @@ -447,30 +439,4 @@ Footnote: * The Surface pen uses the HID over GATT profile {00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} - -## Bluetooth policies supported by Windows Holographic for Business - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) - - - -## Bluetooth policies supported by IoT Core - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) - - - -## Bluetooth policies supported by Microsoft Surface Hub - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) - diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 514ff83491..49d713d18e 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,12 +1,12 @@ --- title: Policy CSP - Browser description: Policy CSP - Browser -ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: shortpatti +ms.author: pashort +ms.date: 08/08/2018 --- # Policy CSP - Browser @@ -51,6 +51,9 @@ ms.date: 04/16/2018
                  Browser/AllowFlashClickToRun
                  +
                  + Browser/AllowFullScreenMode +
                  Browser/AllowInPrivate
                  @@ -63,15 +66,33 @@ ms.date: 04/16/2018
                  Browser/AllowPopups
                  +
                  + Browser/AllowPrelaunch +
                  +
                  + Browser/AllowPrinting +
                  +
                  + Browser/AllowSavingHistory +
                  Browser/AllowSearchEngineCustomization
                  Browser/AllowSearchSuggestionsinAddressBar
                  +
                  + Browser/AllowSideloadingOfExtensions +
                  Browser/AllowSmartScreen
                  +
                  + Browser/AllowTabPreloading +
                  +
                  + Browser/AllowWebContentOnNewTabPage +
                  Browser/AlwaysEnableBooksLibrary
                  @@ -81,6 +102,24 @@ ms.date: 04/16/2018
                  Browser/ConfigureAdditionalSearchEngines
                  +
                  + Browser/ConfigureFavoritesBar +
                  +
                  + Browser/ConfigureHomeButton +
                  +
                  + Browser/ConfigureKioskMode +
                  +
                  + Browser/ConfigureKioskResetAfterIdleTimeout +
                  +
                  + Browser/ConfigureOpenMicrosoftEdgeWith +
                  +
                  + Browser/ConfigureTelemetryForMicrosoft365Analytics +
                  Browser/DisableLockdownOfStartPages
                  @@ -96,6 +135,9 @@ ms.date: 04/16/2018
                  Browser/FirstRunURL
                  +
                  + Browser/ForceEnabledExtensions +
                  Browser/HomePages
                  @@ -105,6 +147,9 @@ ms.date: 04/16/2018
                  Browser/PreventAccessToAboutFlagsInMicrosoftEdge
                  +
                  + Browser/PreventCertErrorOverrides +
                  Browser/PreventFirstRunPage
                  @@ -117,10 +162,7 @@ ms.date: 04/16/2018
                  Browser/PreventSmartScreenPromptOverrideForFiles
                  -
                  - Browser/PreventTabPreloading -
                  -
                  +
                  Browser/PreventUsingLocalHostIPAddressForWebRTC
                  @@ -132,12 +174,21 @@ ms.date: 04/16/2018
                  Browser/SetDefaultSearchEngine
                  +
                  + Browser/SetHomeButtonURL +
                  +
                  + Browser/SetNewTabPageURL +
                  Browser/ShowMessageWhenOpeningSitesInInternetExplorer
                  Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
                  +
                  + Browser/UnlockHomeButton +
                  Browser/UseSharedFolderForBooks
                  @@ -183,12 +234,10 @@ ms.date: 04/16/2018 -Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.  +>*Supported versions: Microsoft Edge on Windows 10, version 1703* -> [!NOTE] -> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting. +[!INCLUDE [allow-address-bar-drop-down-shortdesc](../../../browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md)] -Most restricted value is 0. @@ -200,11 +249,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."  -- 1 (default) – Allowed. Address bar drop-down is enabled. +- 0 – Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings.  +- 1 (default) – Allowed. Show the Address bar drop-down list and make it available. +Most restricted value: 0 @@ -227,7 +277,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -247,9 +297,8 @@ The following list shows the supported values: -Specifies whether autofill on websites is allowed. -Most restricted value is 0. +[!INCLUDE [configure-autofill-shortdesc](../../../browsers/edge/shortdesc/configure-autofill-shortdesc.md)] @@ -261,11 +310,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- Blank - Users can choose to use AutoFill. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. +Most restricted value: 0 To verify AllowAutofill is set to 0 (not allowed): @@ -297,7 +348,7 @@ To verify AllowAutofill is set to 0 (not allowed): cross mark cross mark - + cross mark cross mark cross mark check mark @@ -320,20 +371,18 @@ To verify AllowAutofill is set to 0 (not allowed): > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. +The device allows Microsoft Edge on Windows 10 Mobile by default. With this policy, you can disable the Microsoft Edge tile, and when clicking the tile, a message opens indicating that the administrator disabled Internet browsing. -Specifies whether the browser is allowed on the device. -Most restricted value is 0. - -When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator. -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. +Most restricted value: 0 @@ -376,14 +425,15 @@ The following list shows the supported values: -This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. + +[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../../../browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] -The following list shows the supported values: +Supported values: -- 0 - Disable. Microsoft Edge cannot retrieve a configuration -- 1 - Enable (default). Microsoft Edge can retrieve a configuration for Books Library +- 0 - Prevented/not allowed. +- 1 (default). Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. @@ -407,7 +457,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -427,10 +477,10 @@ The following list shows the supported values: -Specifies whether cookies are allowed. +[!INCLUDE [configure-cookies-shortdesc](../../../browsers/edge/shortdesc/configure-cookies-shortdesc.md)] + -Most restricted value is 0. @@ -443,12 +493,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Block all cookies -- 1 – Block only third party cookies -- 2 - Allow cookies +- 0 – Block all cookies from all sites +- 1 – Block only cookies from third party websites +- 2 - Allow all cookies from all sites +Most restricted value: 0 To verify AllowCookies is set to 0 (not allowed): @@ -480,7 +531,7 @@ To verify AllowCookies is set to 0 (not allowed): cross mark check mark - + check mark check mark check mark cross mark @@ -503,10 +554,7 @@ To verify AllowCookies is set to 0 (not allowed): > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools. - -Most restricted value is 0. +[!INCLUDE [allow-developer-tools-shortdesc](../../../browsers/edge/shortdesc/allow-developer-tools-shortdesc.md)] @@ -518,11 +566,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. +Most restricted value: 0 @@ -545,7 +594,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -565,9 +614,7 @@ The following list shows the supported values: -Specifies whether Do Not Track headers are allowed. - -Most restricted value is 1. +[!INCLUDE [configure-do-not-track-shortdesc](../../../browsers/edge/shortdesc/configure-do-not-track-shortdesc.md)] @@ -579,11 +626,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Not allowed. -- 1 – Allowed. +- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit. +- 0 - Never send tracking information. +- 1 - Send tracking information. +Most restricted value: 1 To verify AllowDoNotTrack is set to 0 (not allowed): @@ -615,7 +664,7 @@ To verify AllowDoNotTrack is set to 0 (not allowed): cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -635,7 +684,9 @@ To verify AllowDoNotTrack is set to 0 (not allowed): -Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. +>*Supported versions: Microsoft Edge on Windows 10, version 1607* + +[!INCLUDE [allow-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-extensions-shortdesc.md)] @@ -647,9 +698,9 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. @@ -674,7 +725,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -694,7 +745,9 @@ The following list shows the supported values: -Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. + + +[!INCLUDE [allow-adobe-flash-shortdesc](../../../browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md)] @@ -706,9 +759,9 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. +- 0 – Prevented/not allowed. - 1 (default) – Allowed. @@ -733,7 +786,7 @@ The following list shows the supported values: cross mark check mark2 - + check mark2 check mark2 check mark2 cross mark @@ -753,7 +806,10 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + + +[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../../../browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] @@ -765,16 +821,85 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge. -- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. +- 0 – Load and run Adobe Flash content automatically. +- 1 (default) – Do not load or run Adobe Flash content automatically. Requires user action. +Most restricted value: 1
                  + +**Browser/AllowFullScreenMode** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-fullscreen-mode-shortdesc](../../../browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow FullScreen Mode* +- GP name: *AllowFullScreenMode* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- 0 - Prevented/not allowed +- 1 (default) - Allowed + +Most restricted value: 0 + + + + + + + + + +
                  + **Browser/AllowInPrivate** @@ -790,9 +915,9 @@ The following list shows the supported values: Mobile Enterprise + cross mark check mark check mark - check mark check mark check mark @@ -812,9 +937,9 @@ The following list shows the supported values: -Specifies whether InPrivate browsing is allowed on corporate networks. +[!INCLUDE [allow-inprivate-browsing-shortdesc](../../../browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md)] -Most restricted value is 0. +Most restricted value: 0 @@ -826,10 +951,10 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Prevented/not allowed +- 1 (default) – Allowed @@ -873,12 +998,12 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. -By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". +>*Supported versions: Microsoft Edge on Windows 10, version 1703* -If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation. -Most restricted value is 0. +[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../../../browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] + +Most restricted value: 0 @@ -890,10 +1015,10 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not enabled. -- 1 (default) – Enabled. +- 0 – Prevented/not allowed +- 1 (default) – Allowed @@ -917,7 +1042,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -937,9 +1062,8 @@ The following list shows the supported values: -Specifies whether saving and managing passwords locally on the device is allowed. +[!INCLUDE [configure-password-manager-shortdesc](../../../browsers/edge/shortdesc/configure-password-manager-shortdesc.md)] -Most restricted value is 0. @@ -951,10 +1075,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- Blank - Users can shoose to save and manage passwords locally. +- 0 – Not allowed. +- 1 (default) – Allowed. + +Most restricted value: 0 @@ -987,7 +1114,7 @@ To verify AllowPasswordManager is set to 0 (not allowed): cross mark check mark - + check mark check mark check mark cross mark @@ -1007,9 +1134,8 @@ To verify AllowPasswordManager is set to 0 (not allowed): -Specifies whether pop-up blocker is allowed or enabled. -Most restricted value is 1. +[!INCLUDE [configure-pop-up-blocker-shortdesc](../../../browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md)] @@ -1021,11 +1147,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed. -- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked. +- Blank - Users can choose to use Pop-up Blocker. +- 0 (default) – Turn off Pop-up Blocker letting pop-up windows open. +- 1 – Turn on Pop-up Blocker stopping pop-up windows from opening. +Most restricted value: 1 To verify AllowPopups is set to 0 (not allowed): @@ -1040,6 +1168,211 @@ To verify AllowPopups is set to 0 (not allowed):
                  + +**Browser/AllowPrelaunch** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + +[!INCLUDE [allow-prelaunch-shortdesc](../../../browsers/edge/shortdesc/allow-prelaunch-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed* +- GP name: *AllowPrelaunch* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- 0 - Prevented/not allowed +- 1 (default) - Allowed + +Most restricted value: 0 + + + + + + + + + +
                  + + +**Browser/AllowPrinting** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-printing-shortdesc](../../../browsers/edge/shortdesc/allow-printing-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow printing* +- GP name: *AllowPrinting* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- 0 - Prevented/not allowed +- 1 (default) - Allowed + +Most restricted value: 0 + + + + + + + + + +
                  + + +**Browser/AllowSavingHistory** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-saving-history-shortdesc](../../../browsers/edge/shortdesc/allow-saving-history-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow Saving History* +- GP name: *AllowSavingHistory* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- 0 - Prevented/not allowed +- 1 (default) - Allowed + +Most restricted value: 0 + + + + + + + + + +
                  + **Browser/AllowSearchEngineCustomization** @@ -1077,11 +1410,13 @@ To verify AllowPopups is set to 0 (not allowed): -Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.  -   -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).  -Most restricted value is 0. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + + +[!INCLUDE [allow-search-engine-customization-shortdesc](../../../browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md)] + + @@ -1093,10 +1428,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Prevented/not allowed +- 1 (default) – Allowed + +Most restricted value: 0 @@ -1120,7 +1457,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -1140,9 +1477,7 @@ The following list shows the supported values: -Specifies whether search suggestions are allowed in the address bar. - -Most restricted value is 0. +[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../../../browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] @@ -1154,16 +1489,87 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- Blank (default) - Users can choose to see search suggestions. +- 0 – Prevented/not allowed. Hide the search suggestions. +- 1 – Allowed. Show the search suggestions. +Most restricted value: 0
                  + +**Browser/AllowSideloadingOfExtensions** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow Sideloading of extension* +- GP name: *AllowSideloadingOfExtensions* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 - Prevented, but does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). +- 1 (default) - Allowed. + +Most restricted value: 0 + + + + + + + + + +
                  + **Browser/AllowSmartScreen** @@ -1181,7 +1587,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -1201,9 +1607,7 @@ The following list shows the supported values: -Specifies whether Windows Defender SmartScreen is allowed. - -Most restricted value is 1. +[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../../../browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md)] @@ -1215,11 +1619,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- Blank - Users can choose to use Windows Defender SmartScreen or not. +- 0 – Turned off. Do not protect users from potential threats and prevent users from turning it on. +- 1 (default) – Turned on. Protect users from potential threats and prevent users from turning it off. +Most restricted value: 1 To verify AllowSmartScreen is set to 0 (not allowed): @@ -1234,6 +1640,143 @@ To verify AllowSmartScreen is set to 0 (not allowed):
                  + +**Browser/AllowTabPreloading** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-tab-preloading-shortdesc](../../../browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Allow Microsoft Edge to start and load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed* +- GP name: *AllowTabPreloading* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - Allowed. Preload Start and New tab pages. +- 1 - Prevented/not allowed. + +Most restricted value: 1 + + + + + + + + + +
                  + + +**Browser/AllowWebContentOnNewTabPage** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + + +ADMX Info: +- GP English name: *Allow web content on New Tab page* +- GP name: *AllowWebContentOnNewTabPage* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank - Users can choose what loads on the New tab page. +- 0 - Load a blank page instead of the default New tab page and prevent users from changing it. +- 1 (default) - Load the default New tab page. + + + + + + + + + + +
                  + **Browser/AlwaysEnableBooksLibrary** @@ -1271,7 +1814,10 @@ To verify AllowSmartScreen is set to 0 (not allowed): -Added in Windows 10, next majot update. Always show the Books Library in Microsoft Edge + +[!INCLUDE [always-show-books-library-shortdesc](../../../browsers/edge/shortdesc/always-show-books-library-shortdesc.md)] + + @@ -1283,11 +1829,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) - Disable. Use default visibility of the Books Library. The Library will be only visible in countries or regions where it’s available. -- 1 - Enable. Always show the Books Library, regardless of countries or region of activation. +- 0 (default) - Show the Books Library only in countries or regions where supported. +- 1 - Show the Books Library, regardless of the device’s country or region. +Most restricted value: 0 @@ -1330,9 +1877,9 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* -Most restricted value is 1. +[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../../../browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] @@ -1344,18 +1891,20 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings. -- 1 – Browsing data is cleared on exit. +- 0 – (default) Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. +- 1 – Allowed. Clear the browsing data upon exit automatically. +Most restricted value: 1 To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): -1. Open Microsoft Edge and browse to websites. -2. Close the Microsoft Edge window. -3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. +1. Open Microsoft Edge and browse to websites. +2. Close the Microsoft Edge window. +3. Open Microsoft Edge and start typing the same URL in address bar. +4. Verify that it does not auto-complete from history. @@ -1399,19 +1948,14 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set -Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.  -  -If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). -Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.  +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + +[!INCLUDE [configure-additional-search-engines-shortdesc](../../../browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md)] -If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine. -  > [!IMPORTANT] > Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.  -Most restricted value is 0. - ADMX Info: @@ -1423,12 +1967,460 @@ ADMX Info: -The following list shows the supported values: +Supported values: + +- 0 (default) – Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.

                  If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. +- 1 – Allowed. Add up to five additional search engines and set any one of them as the default.

                  For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). + +Most restricted value: 0 + + + +

                  + + +**Browser/ConfigureFavoritesBar** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-favorites-bar-shortdesc](../../../browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Configure Favorites Bar* +- GP name: *ConfigureFavoritesBar* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank (default) - Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. +- 0 - Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. +- 1 - Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. -- 0 (default) – Additional search engines are not allowed. -- 1 – Additional search engines are allowed. + + + + + + + + +
                  + + +**Browser/ConfigureHomeButton** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-home-button-shortdesc](../../../browsers/edge/shortdesc/configure-home-button-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Configure Home Button* +- GP name: *ConfigureHomeButton* +- GP element: *ConfigureHomeButtonDropdown* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - Show home button and load the Start page. +- 1 - Show home button and load the New tab page. +- 2 - Show home button and load the custom URL defined in the Set Home Button URL policy. +- 3 - Hide home button. + +>[!TIP] +>If you want to make changes to this policy:
                  1. Set the **Unlock Home Button** policy to 1 (enabled).
                  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
                  3. Set the **Unlock Home Button** policy to 0 (disabled).
                  + + + + + + + + + + + +
                  + + +**Browser/ConfigureKioskMode** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-kiosk-mode-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md)] + +For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). + + + + + +ADMX Info: +- GP English name: *Configure kiosk mode* +- GP name: *ConfigureKioskMode* +- GP element: *ConfigureKioskMode_TextBox* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +**0 (Default or not configured)**: +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. + +**1**: +- • If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + + + + + + + + + +
                  + + +**Browser/ConfigureKioskResetAfterIdleTimeout** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] + +You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). + + + +ADMX Info: +- GP English name: *Configure kiosk reset after idle timeout* +- GP name: *ConfigureKioskResetAfterIdleTimeout* +- GP element: *ConfigureKioskResetAfterIdleTimeout_TextBox* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: +- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. + +- **0** – No idle timer. + + + + + + + + + +
                  + + +**Browser/ConfigureOpenMicrosoftEdgeWith** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../../../browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] + +**Version 1703 or later**:
                  +If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. + + +**Version 1810**:
                  +When you enable this policy and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy. + + + +ADMX Info: +- GP English name: *Configure Open Microsoft Edge With* +- GP name: *ConfigureOpenEdgeWith* +- GP element: *ConfigureOpenEdgeWithListBox* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank - If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. +- 0 - Load the Start page. +- 1 - Load the New tab page. +- 2 - Load the previous pages. +- 3 (default) - Load a specific page or pages. + +>[!TIP] +>If you want to make changes to this policy:
                  1. Set the Disabled Lockdown of Start Pages policy to 0 (not configured).
                  2. Make changes to the Configure Open Microsoft With policy.
                  3. Set the Disabled Lockdown of Start Pages policy to 1 (enabled).
                  + + + + + + + + + + + +
                  + + +**Browser/ConfigureTelemetryForMicrosoft365Analytics** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../../../browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Configure collection of browsing data for Microsoft 365 Analytics* +- GP name: *ConfigureTelemetryForMicrosoft365Analytics* +- GP element: *ZonesListBox* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - No data collected or sent +- 1 - Send intranet history only +- 2 - Send Internet history only +- 3 - Send both intranet and Internet history + +Most restricted value: 0 + + + + + + +
                  @@ -1470,15 +2462,17 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.  +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + +[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../../../browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]    > [!NOTE] > This policy has no effect when the Browser/HomePages policy is not configured.    > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). -Most restricted value is 0. +Most restricted value: 0 @@ -1490,11 +2484,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.  -- 1 – Disable lockdown of the Start pages and allow users to modify them. +- 0 – Locked. Lockdown the Start pages configured in either the Configure Open Microsoft Edge With policy or Configure Start Pages policy.  +- 1 (default) – Unlocked. Users can make changes to all configured start pages.

                  When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. +Most restricted value: 0 @@ -1537,9 +2532,8 @@ The following list shows the supported values: -This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in Microsoft Edge. -If you enable this setting, Microsoft Edge sends additional diagnostic data, on top of the basic diagnostic data, from the Books tab. If you disable or don't configure this setting, Microsoft Edge only sends basic diagnostic data, depending on your device configuration. +[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../../../browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] @@ -1551,11 +2545,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) - Disable. No additional diagnostic data. -- 1 - Enable. Additional diagnostic data for schools. +- 0 (default) - Gather and send only basic diagnotic data, depending on the device configuration. +- 1 - Gather both basic and additional data, such as usage data. +Most restricted value: 0 @@ -1578,7 +2573,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -1598,11 +2593,14 @@ The following list shows the supported values: + +[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../../../browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md)] + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.   -Allows the user to specify an URL of an enterprise site list. + @@ -1615,10 +2613,10 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL location of the enterprise site list. +- 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. +- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box. @@ -1640,9 +2638,9 @@ The following list shows the supported values: Mobile Enterprise + cross mark check mark check mark - check mark check mark check mark @@ -1663,7 +2661,7 @@ The following list shows the supported values: > [!IMPORTANT] -> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). +> We discontinued this policy in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead. @@ -1687,7 +2685,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1710,18 +2708,75 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. +Enter a URL in string format for the site you want to load when Microsoft Edge for Windows 10 Mobile opens for the first time, for example, contoso.com. -Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time. - -The data type is a string. - -The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”. +Data type = String

                  + +**Browser/ForceEnabledExtensions** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +This setting lets you decide which extensions should be always enabled. + + + +ADMX Info: +- GP name: *ForceEnabledExtensions* +- GP element: *ForceEnabledExtensions_List* +- GP ADMX file name: *MicrosoftEdge.admx* + + + + + + + + + + + + + +
                  + **Browser/HomePages** @@ -1739,7 +2794,7 @@ The default value is an empty string. Otherwise, the string should contain the U check mark check mark - + check mark check mark check mark cross mark @@ -1762,11 +2817,18 @@ The default value is an empty string. Otherwise, the string should contain the U > [!NOTE] > This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. -Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>" -Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users. +[!INCLUDE [configure-start-pages-shortdesc](../../../browsers/edge/shortdesc/configure-start-pages-shortdesc.md)] + +**Version 1607**
                  +Starting with this version, the HomePages policy enforces that users cannot change the Start pages settings. + +**Version 1703**
                  +If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL. + +**Next Windows 10 major release**
                  +When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages your want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. -Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.  > [!NOTE] > Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. @@ -1781,6 +2843,13 @@ ADMX Info: - GP ADMX file name: *MicrosoftEdge.admx* + +Supported values: + +- Blank (default) - Load the pages specified in App settings as the default Start pages. +- String - Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

                        \ \ + +

                  @@ -1822,16 +2891,10 @@ ADMX Info: -Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. +>*Supported versions: Microsoft Edge on Windows 10, version 1709* -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)] -> [!Important] -> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - -Data type is integer. @@ -1843,11 +2906,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 - Disabled. Do not lockdown Favorites. -- 1 - Enabled. Lockdown Favorites. +- 0 (default) - Allowed/not locked down. Users can add, import, and make changes to the favorites. +- 1 - Prevented/locked down. +Most restricted value: 1 @@ -1868,9 +2932,9 @@ The following list shows the supported values: Mobile Enterprise + cross mark check mark check mark - check mark check mark cross mark @@ -1890,7 +2954,8 @@ The following list shows the supported values: -Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. + +[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)] @@ -1902,16 +2967,85 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Users can access the about:flags page in Microsoft Edge. -- 1 – Users can't access the about:flags page in Microsoft Edge. +- 0 (default) – Allowed. +- 1 – Prevented/not allowed. Users cannot access the about:flags page. +Most restricted value: 1
                  + +**Browser/PreventCertErrorOverrides** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + +[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../../../browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Prevent certificate error overrides* +- GP name: *PreventCertErrorOverrides* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - Allowed/turned on. Override the security warning to sites that have SSL errors. +- 1 - Prevented/turned on. + +Most restricted value: 1 + + + + + + + + + +
                  + **Browser/PreventFirstRunPage** @@ -1949,9 +3083,9 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* -Most restricted value is 1. +[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../../../browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)] @@ -1963,11 +3097,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Employees see the First Run webpage. -- 1 – Employees don't see the First Run webpage. +- 0 (default) – Allowed. Microsoft Edge loads the First Run webpage. +- 1 – Prevented/not allowed. +Most restricted value: 1 @@ -2010,9 +3145,9 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* -Most restricted value is 1. +[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../../../browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] @@ -2024,11 +3159,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge. -- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge. +- 0 (default) – Collect and send Live Tile metadata to Microsoft. +- 1 – No data collected. +Most restricted value: 1 @@ -2051,7 +3187,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -2071,9 +3207,7 @@ The following list shows the supported values: -Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. - -Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site. +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../../../browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] @@ -2085,11 +3219,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Off. -- 1 – On. +- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to the site. +- 1 – Prevented/turned on. +Most restricted value: 1 @@ -2112,7 +3247,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -2132,7 +3267,8 @@ The following list shows the supported values: -Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. + +[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../../../browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] @@ -2144,70 +3280,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Off. -- 1 – On. - - - - -
                  - - -**Browser/PreventTabPreloading** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark4check mark4check mark4check mark4
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
                  - - - -Added in Windows 10, version 1803. This is only a placeholder. Do not use in production code. - - - -ADMX Info: -- GP English name: *Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed* -- GP name: *PreventTabPreloading* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -The following list shows the supported values: - -- 0 (default) – Allow pre-launch and preload. -- 1 – Prevent pre-launch and preload. +- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). +- 1 – Prevented/turned on. +Most restricted value: 1 @@ -2230,7 +3308,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -2253,8 +3331,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an user’s localhost IP address while making phone calls using WebRTC. +[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] @@ -2266,11 +3343,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – The localhost IP address is shown. -- 1 – The localhost IP address is hidden. +- 0 (default) – Allowed. Show localhost IP addresses. +- 1 – Prevented/not allowed. +Most restricted value: 1 @@ -2313,20 +3391,24 @@ The following list shows the supported values: -Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines. -  -URL can be specified as: +>*Supported versions: Microsoft Edge on Windows 10, version 1709* + +[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] +  + +Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off. + +To define a default list of favorites: +1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**. +2. Click **Import from another browser**, click **Export to file** and save the file. +3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.

                  Specify the URL as:

                  • HTTP location: "SiteList"="http://localhost:8080/URLs.html"
                  • Local network: "SiteList"="\\network\\shares\\URLs.html"
                  • Local file: "SiteList"="file:///c:\\Users\\\\Documents\\URLs.html"
                  -- HTTP location: "SiteList"="http://localhost:8080/URLs.html" -- Local network: "SiteList"="\\network\shares\URLs.html" -- Local file: "SiteList"="file:///c:\\Users\\\\Documents\\URLs.html" > [!Important] -> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. -Data type is string. +Data type = string @@ -2359,7 +3441,7 @@ ADMX Info: check mark check mark - + check mark check mark check mark cross mark @@ -2379,14 +3461,13 @@ ADMX Info: + +[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../../../browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -Specifies whether to send intranet traffic over to Internet Explorer. - -Most restricted value is 0. - ADMX Info: @@ -2397,11 +3478,12 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Intranet traffic is sent to Internet Explorer. -- 1 – Intranet traffic is sent to Microsoft Edge. +- 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically. +- 1 - Only intranet sites open in Internet Explorer 11 automatically. Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser. +Most restricted value: 0 @@ -2444,17 +3526,15 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + +[!INCLUDE [set-default-search-engine-shortdesc](../../../browsers/edge/shortdesc/set-default-search-engine-shortdesc.md)] -You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.  -  -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.    -  > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). -Most restricted value is 0. +Most restricted value: 0 @@ -2467,12 +3547,151 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) - The default search engine is set to the one specified in App settings. -- 1 - Allows you to configure the default search engine for your employees. +- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the AllowSearchEngineCustomization policy, users cannot make changes. +- 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. +- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

                  Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

                  If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.

                  If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. + +Most restricted value: 1 + + + +

                  + + +**Browser/SetHomeButtonURL** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [set-home-button-url-shortdesc](../../../browsers/edge/shortdesc/set-home-button-url-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Set Home Button URL* +- GP name: *SetHomeButtonURL* +- GP element: *SetHomeButtonURLPrompt* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank (default) - Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. +- String - Load a custom URL for the home button. You must also enable the Configure Home Button policy and select the _Show home button & set a specific page_ option.

                  Enter a URL in string format, for example, https://www.msn.com. + + + + + + + + +

                  + + +**Browser/SetNewTabPageURL** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [set-new-tab-url-shortdesc](../../../browsers/edge/shortdesc/set-new-tab-url-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Set New Tab page URL* +- GP name: *SetNewTabPageURL* +- GP element: *SetNewTabPageURLPrompt* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank (default) - Load the default New tab page. +- String - Prevent users from changing the New tab page.

                  Enter a URL in string format, for example, https://www.msn.com. + + + + + + +

                  @@ -2492,9 +3711,9 @@ The following list shows the supported values: Mobile Enterprise + cross mark check mark check mark - check mark check mark cross mark @@ -2514,14 +3733,12 @@ The following list shows the supported values: +[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../../../browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. - -Most restricted value is 0. - ADMX Info: @@ -2532,11 +3749,13 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Interstitial pages are not shown. -- 1 – Interstitial pages are shown. +- 0 (default) – No additional message displays. +- 1 – Show an additional message stating that a site has opened in IE11. +- 2 - Show an additional message with a "Keep going in Microsoft Edge" link. +Most restricted value: 0 @@ -2579,12 +3798,13 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. +>*Supported versions: Microsoft Edge on Windows 10, version 1703* + + +[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../../../browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -> -> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. @@ -2596,10 +3816,10 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 (default) – Synchronization is off. -- 1 – Synchronization is on. +- 0 (default) – Turned off/not syncing +- 1 – Turned on/syncing @@ -2607,7 +3827,7 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
                  1. Open Internet Explorer and add some favorites. -
                  2. Open Microsoft Edge, then select Hub > Favorites. +
                  3. Open Microsoft Edge, then select **Hub > Favorites**.
                  4. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
                  @@ -2616,6 +3836,74 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
                  + +**Browser/UnlockHomeButton** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* + + +[!INCLUDE [unlock-home-button-shortdesc](../../../browsers/edge/shortdesc/unlock-home-button-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Unlock Home Button* +- GP name: *UnlockHomeButton* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- 0 (default) - Lock down the home button to prevent users from making changes to the settings. +- 1 - Let users make changes. + + + + + + + + + + +
                  + **Browser/UseSharedFolderForBooks** @@ -2653,7 +3941,8 @@ To verify that favorites are in synchronized between Internet Explorer and Micro -This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. + +[!INCLUDE [allow-a-shared-books-folder-shortdesc](../../../browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md)] @@ -2665,75 +3954,23 @@ ADMX Info: -The following list shows the supported values: +Supported values: -- 0 - No shared folder. -- 1 - Use a shared folder. +- 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. +- 1 - Allowed. Microsoft Edge downloads book files into a shared folder. +Most restricted value: 0
                  Footnote: -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. +- 1 - Supported versions, version 1607. +- 2 - Supported versions, version 1703. +- 3 - Supported versions, version 1709. +- 4 - Supported versions, version 1803. +- 5 - Added in the next major update to Windows of Windows 10. - -## Browser policies that can be set using Exchange Active Sync (EAS) - -- [Browser/AllowBrowser](#browser-allowbrowser) - - - -## Browser policies supported by Windows Holographic for Business - -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) - - - -## Browser policies supported by IoT Core - -- [Browser/AllowAutofill](#browser-allowautofill) -- [Browser/AllowBrowser](#browser-allowbrowser) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowInPrivate](#browser-allowinprivate) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) -- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) -- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) - - - -## Browser policies supported by Microsoft Surface Hub - -- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) -- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) -- [Browser/HomePages](#browser-homepages) -- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) - - diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 3cbf216e52..bb7caec67c 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - Camera @@ -44,7 +44,7 @@ ms.date: 03/12/2018 cross mark check mark - + check mark check mark check mark check mark diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 9c86945186..0712d689ac 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # Policy CSP - Cellular @@ -54,7 +54,7 @@ ms.date: 04/16/2018 Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -126,7 +126,7 @@ The following list shows the supported values: Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -178,7 +178,7 @@ ADMX Info: Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -230,7 +230,7 @@ ADMX Info: Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index e07d5f9e02..0806fb596a 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/14/2018 +author: MariciaAlforque +ms.date: 07/30/2018 --- # Policy CSP - Connectivity -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -88,7 +86,7 @@ ms.date: 03/14/2018 cross mark check mark - + check mark check mark check mark check mark @@ -145,10 +143,10 @@ The following list shows the supported values: cross mark - cross mark - - cross mark - cross mark + check mark + check mark + check mark + check mark check mark check mark @@ -197,7 +195,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -266,7 +264,7 @@ To validate on mobile devices, do the following: Mobile Enterprise - check mark2 + check mark check mark2 check mark2 check mark2 @@ -321,7 +319,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -414,17 +412,14 @@ This setting supports a range of values between 0 and 1. - 0 - Do not link - 1 (default) - Allow phone-PC linking - - - - Validation: If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be greyed out and clicking it will not launch the window for a user to enter their phone number. Device that has previously opt-in to MMX will also stop showing on the device list. + @@ -447,7 +442,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li cross mark cross mark - + cross mark cross mark cross mark check mark @@ -505,7 +500,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -557,7 +552,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -977,40 +972,5 @@ Footnote: - -## Connectivity policies that can be set using Exchange Active Sync (EAS) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) - - - -## Connectivity policies supported by Windows Holographic for Business - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) - - - -## Connectivity policies supported by IoT Core - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowNFC](#connectivity-allownfc) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) -- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) -- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge) - - - -## Connectivity policies supported by Microsoft Surface Hub - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) - diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index b606419501..1295ab27a3 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- # Policy CSP - ControlPolicyConflict -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  @@ -65,15 +62,36 @@ ms.date: 03/12/2018 -Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device. +Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. -This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +> [!Note] +> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers. + +This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +Note: This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. In Windows 10, next major version, Delete command and setting the value to be 0 again if it was previously set to 1 will be supported. + +The following list shows the supported values: + +- 0 (default) +- 1 - The MDM policy is used and the GP policy is blocked. The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that: -- GP settings that correspond to MDM applied settings are not conflicting -- The current Policy Manager policies are refreshed from what MDM has set -- Any values set by scripts/user outside of GP that conflict with MDM are removed +- GP settings that correspond to MDM applied settings are not conflicting +- The current Policy Manager policies are refreshed from what MDM has set +- Any values set by scripts/user outside of GP that conflict with MDM are removed + +The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP: + +- \ +- \ +- \ +- \ + +For the list MDM-GP mapping list, see [Policies supported by GP +](policy-configuration-service-provider.md#policies-supported-by-gp). + +The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**. diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index f3f12c6f73..f471a91b35 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- @@ -201,14 +201,14 @@ ADMX Info: Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. -The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. +The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students. The following list shows the supported values: -- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment -- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment +- 0 - Enable the visibility of the credentials for Autopilot Reset +- 1 - Disable visibility of the credentials for Autopilot Reset diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index edd5e6b205..309848708a 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- # Policy CSP - CredentialsDelegation -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 900ad6176a..12f8698b09 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 7dadd07af1..69f8321a8b 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - Cryptography @@ -47,7 +47,7 @@ ms.date: 03/12/2018 cross mark check mark - + check mark check mark check mark check mark @@ -103,7 +103,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 28ad8aaca3..a03fac3671 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - DataProtection @@ -47,7 +47,7 @@ ms.date: 03/12/2018 cross mark check mark - + check mark check mark check mark check mark @@ -99,7 +99,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 89086b22bb..285c21097a 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 07/13/2018 --- # Policy CSP - DataUsage @@ -33,67 +33,11 @@ ms.date: 03/12/2018 **DataUsage/SetCost3G** - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - -This policy setting configures the cost of 3G connections on the local machine. - -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: - -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - -- Variable: This connection is costed on a per byte basis. - -If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. +This policy is deprecated in Windows 10, next major version. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set 3G Cost* -- GP name: *SetCost3G* -- GP path: *Network/WWAN Service/WWAN Media Cost* -- GP ADMX file name: *wwansvc.admx* - -
                  diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index a0edded74d..78c970b208 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -5,12 +5,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # Policy CSP - Defender +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -67,6 +69,9 @@ ms.date: 03/12/2018
                  Defender/AvgCPULoadFactor
                  +
                  + Defender/CheckForSignaturesBeforeRunningScan +
                  Defender/CloudBlockLevel
                  @@ -82,9 +87,18 @@ ms.date: 03/12/2018
                  Defender/DaysToRetainCleanedMalware
                  +
                  + Defender/DisableCatchupFullScan +
                  +
                  + Defender/DisableCatchupQuickScan +
                  Defender/EnableControlledFolderAccess
                  +
                  + Defender/EnableLowCPUPriority +
                  Defender/EnableNetworkProtection
                  @@ -115,6 +129,12 @@ ms.date: 03/12/2018
                  Defender/ScheduleScanTime
                  +
                  + Defender/SignatureUpdateFallbackOrder +
                  +
                  + Defender/SignatureUpdateFileSharesSources +
                  Defender/SignatureUpdateInterval
                  @@ -146,7 +166,7 @@ ms.date: 03/12/2018 check mark check mark - + check mark check mark check mark cross mark @@ -208,7 +228,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -270,7 +290,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -333,7 +353,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -395,7 +415,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -457,7 +477,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -519,7 +539,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -581,7 +601,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -635,7 +655,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -697,7 +717,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -759,7 +779,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -821,7 +841,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -875,7 +895,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -935,8 +955,8 @@ The following list shows the supported values: Mobile Enterprise - cross mark - check mark + check mark3 + check mark3 check mark3 check mark3 check mark3 @@ -993,8 +1013,8 @@ ADMX Info: Mobile Enterprise - cross mark - check mark + check mark3 + check mark3 check mark3 check mark3 check mark3 @@ -1055,7 +1075,7 @@ ADMX Info: check mark check mark - + check mark check mark check mark cross mark @@ -1101,6 +1121,78 @@ Valid values: 0–100
                  + +**Defender/CheckForSignaturesBeforeRunningScan** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. + +This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface. + +If you enable this setting, a check for new definitions will occur before running a scan. + +If you disable this setting or do not configure this setting, the scan will start using the existing definitions. + +Supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Check for the latest virus and spyware definitions before running a scheduled scan* +- GP name: *CheckForSignaturesBeforeRunningScan* +- GP element: *CheckForSignaturesBeforeRunningScan* +- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
                  + **Defender/CloudBlockLevel** @@ -1116,7 +1208,7 @@ Valid values: 0–100 Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1188,7 +1280,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1250,7 +1342,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1305,7 +1397,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1362,7 +1454,7 @@ ADMX Info: check mark check mark - + check mark check mark check mark cross mark @@ -1408,6 +1500,146 @@ Valid values: 0–90
                  + +**Defender/DisableCatchupFullScan** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. + +If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. + +Supported values: + +- 0 - Disabled +- 1 - Enabled (default) + + + +ADMX Info: +- GP English name: *Turn on catch-up full scan* +- GP name: *Scan_DisableCatchupFullScan* +- GP element: *Scan_DisableCatchupFullScan* +- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
                  + + +**Defender/DisableCatchupQuickScan** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. + +If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. + +Supported values: + +- 0 - Disabled +- 1 - Enabled (default) + + + +ADMX Info: +- GP English name: *Turn on catch-up quick scan* +- GP name: *Scan_DisableCatchupQuickScan* +- GP element: *Scan_DisableCatchupQuickScan* +- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
                  + **Defender/EnableControlledFolderAccess** @@ -1423,7 +1655,7 @@ Valid values: 0–90 Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1471,6 +1703,76 @@ The following list shows the supported values:
                  + +**Defender/EnableLowCPUPriority** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to enable or disable low CPU priority for scheduled scans. + +If you enable this setting, low CPU priority will be used during scheduled scans. + +If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. + +Supported values: + +- 0 - Disabled (default) +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Configure low CPU priority for scheduled scans* +- GP name: *Scan_LowCpuPriority* +- GP element: *Scan_LowCpuPriority* +- GP path: *Windows Components/Windows Defender Antivirus/Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
                  + **Defender/EnableNetworkProtection** @@ -1486,7 +1788,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1557,7 +1859,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -1613,7 +1915,7 @@ ADMX Info: check mark check mark - + check mark check mark check mark cross mark @@ -1669,7 +1971,7 @@ ADMX Info: check mark check mark - + check mark check mark check mark cross mark @@ -1731,7 +2033,7 @@ ADMX Info: check mark check mark - + check mark check mark check mark cross mark @@ -1786,7 +2088,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -1853,7 +2155,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -1916,7 +2218,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -1985,7 +2287,7 @@ Valid values: 0–1380 check mark check mark - + check mark check mark check mark cross mark @@ -2058,7 +2360,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -2110,6 +2412,145 @@ Valid values: 0–1380.
                  + +**Defender/SignatureUpdateFallbackOrder** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. + +Possible values are: + +- InternalDefinitionUpdateServer +- MicrosoftUpdateServer +- MMPC +- FileShares + +For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } + +If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, definition update sources will be contacted in a default order. + + + +ADMX Info: +- GP English name: *Define the order of sources for downloading definition updates* +- GP name: *SignatureUpdate_FallbackOrder* +- GP element: *SignatureUpdate_FallbackOrder* +- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
                  + + +**Defender/SignatureUpdateFileSharesSources** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. + +If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. + + + +ADMX Info: +- GP English name: *Define file shares for downloading definition updates* +- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* +- GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources* +- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + + + + + + + + + + + +
                  + **Defender/SignatureUpdateInterval** @@ -2127,7 +2568,7 @@ Valid values: 0–1380. check mark check mark - + check mark check mark check mark cross mark @@ -2192,7 +2633,7 @@ Valid values: 0–24. check mark check mark - + check mark check mark check mark cross mark @@ -2257,7 +2698,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark cross mark @@ -2319,6 +2760,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index aa3591630f..104c932ccf 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - DeliveryOptimization -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -115,7 +113,7 @@ ms.date: 04/16/2018 cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -356,7 +354,7 @@ The following list shows the supported values as number of seconds: cross mark check mark - + check mark check mark check mark cross mark @@ -423,7 +421,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -551,7 +549,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -609,7 +607,7 @@ ADMX Info: cross mark check mark - + check mark check mark check mark cross mark @@ -667,7 +665,7 @@ ADMX Info: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -725,7 +723,7 @@ ADMX Info: cross mark check mark - + check mark check mark check mark cross mark @@ -783,7 +781,7 @@ ADMX Info: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -1075,7 +1073,7 @@ ADMX Info: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -1133,7 +1131,7 @@ ADMX Info: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -1233,6 +1231,7 @@ ADMX Info: **DeliveryOptimization/DOPercentageMaxDownloadBandwidth** + [Scope](./policy-configuration-service-provider.md#policy-scope): diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 36afbf2a08..ac8fca65ac 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # Policy CSP - Desktop @@ -44,7 +44,7 @@ ms.date: 03/12/2018 cross mark check mark - check mark + cross mark check mark check mark cross mark diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index b541578089..cacbb2acc6 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -5,12 +5,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 07/30/2018 --- # Policy CSP - DeviceGuard +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -19,6 +21,9 @@ ms.date: 03/12/2018 ## DeviceGuard policies
                  +
                  + DeviceGuard/EnableSystemGuard +
                  DeviceGuard/EnableVirtualizationBasedSecurity
                  @@ -31,6 +36,75 @@ ms.date: 03/12/2018
                  +
                  + + +**DeviceGuard/EnableSystemGuard** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcross markcross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy allows the IT admin to configure the launch of System Guard. + +Secure Launch configuration: + +- 0 - Unmanaged, configurable by Administrative user +- 1 - Enables Secure Launch if supported by hardware +- 2 - Disables Secure Launch. + +For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows). + + + +ADMX Info: +- GP English name: *Turn On Virtualization Based Security* +- GP name: *VirtualizationBasedSecurity* +- GP element: *SystemGuardDrop* +- GP path: *System/Device Guard* +- GP ADMX file name: *DeviceGuard.admx* + + + + + + + + + + + + +
                  @@ -215,6 +289,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 38941fd46b..5dabbc96ab 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -5,12 +5,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 07/23/2018 --- # Policy CSP - DeviceInstallation +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -19,6 +21,18 @@ ms.date: 03/12/2018 ## DeviceInstallation policies
                  +
                  + DeviceInstallation/AllowInstallationOfMatchingDeviceIDs +
                  +
                  + DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses +
                  +
                  + DeviceInstallation/PreventDeviceMetadataFromNetwork +
                  +
                  + DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings +
                  DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
                  @@ -28,6 +42,290 @@ ms.date: 03/12/2018
                  +
                  + + +**DeviceInstallation/AllowInstallationOfMatchingDeviceIDs** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. + +If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow installation of devices that match any of these device IDs* +- GP name: *DeviceInstall_IDs_Allow* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + + + + + + + + +
                  + + +**DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. + +If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow installation of devices using drivers that match these device setup classes* +- GP name: *DeviceInstall_Classes_Allow* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + + + + + + + + +
                  + + +**DeviceInstallation/PreventDeviceMetadataFromNetwork** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. + +If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). + +If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent device metadata retrieval from the Internet* +- GP name: *DeviceMetadata_PreventDeviceMetadataFromNetwork* +- GP path: *System/Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + + + + + + + + + + + +
                  + + +**DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. + +If you enable this policy setting, Windows is prevented from installing or updating the device driver for any device that is not described by either the "Allow installation of devices that match any of these device IDs" or the "Allow installation of devices for these device classes" policy setting. + +If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent installation of devices not described by other policy settings* +- GP name: *DeviceInstall_Unspecified_Deny* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + + + + + + + +
                  @@ -159,6 +457,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 0a7c86e017..94e15bf96e 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # Policy CSP - DeviceLock -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -97,7 +95,7 @@ ms.date: 04/16/2018 cross mark cross mark - + cross mark cross mark cross mark check mark @@ -152,11 +150,11 @@ The following list shows the supported values: Mobile Enterprise - cross mark - cross mark - - cross mark - cross mark + check mark + check mark + check mark + check mark + check mark check mark check mark @@ -182,8 +180,6 @@ Specifies whether to show a user-configurable setting to control the screen time > [!NOTE] > This policy must be wrapped in an Atomic command. - - > [!IMPORTANT] > If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. @@ -216,7 +212,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark check mark @@ -273,7 +269,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark check mark @@ -336,7 +332,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark check mark @@ -427,7 +423,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark check mark @@ -486,7 +482,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark check mark @@ -510,8 +506,6 @@ Specifies how many passwords can be stored in the history that can’t be used. > [!NOTE] > This policy must be wrapped in an Atomic command. - - The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. Max policy value is the most restricted. @@ -545,8 +539,8 @@ The following list shows the supported values: Mobile Enterprise - cross mark - cross mark + check mark1 + check mark1 check mark1 check mark1 check mark1 @@ -596,7 +590,7 @@ Value type is a string, which is the full image filepath and filename. cross mark cross mark - + cross mark cross mark cross mark check mark1 @@ -645,7 +639,7 @@ Value type is a string, which is the AppID. check mark check mark - + check mark check mark check mark check mark @@ -711,7 +705,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark check mark @@ -821,7 +815,7 @@ The following list shows the supported values: check mark check mark - + check mark check mark check mark check mark @@ -935,7 +929,7 @@ For additional information about this policy, see [Exchange ActiveSync Policy En check mark check mark - + check mark check mark check mark check mark @@ -995,7 +989,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1048,7 +1042,7 @@ GP Info: Mobile Enterprise - cross mark + check mark check mark check mark check mark @@ -1110,7 +1104,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark check mark check mark check mark @@ -1174,7 +1168,7 @@ ADMX Info: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1219,25 +1213,3 @@ Footnote: - -## DeviceLock policies that can be set using Exchange Active Sync (EAS) - -- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) -- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) - - - -## DeviceLock policies supported by Windows Holographic for Business - -- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) - - diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 0cf8a9740d..7e1be2a448 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # Policy CSP - Display -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  @@ -56,7 +53,7 @@ ms.date: 03/12/2018 Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 @@ -108,7 +105,7 @@ ADMX Info: Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 @@ -180,7 +177,7 @@ The following list shows the supported values: Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md new file mode 100644 index 0000000000..2960d7874f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -0,0 +1,111 @@ +--- +title: Policy CSP - DmaGuard +description: Policy CSP - DmaGuard +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/29/2018 +--- + +# Policy CSP - DmaGuard + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
                  + + +## DmaGuard policies + +
                  +
                  + DmaGuard/DeviceEnumerationPolicy +
                  +
                  + + +
                  + + +**DmaGuard/DeviceEnumerationPolicy** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. + +> [!Note] +> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. + +Supported values: + +0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time. + +1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen + +2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time + + + +ADMX Info: +- GP English name: *Enumeration policy for external devices incompatible with Kernel DMA Protection* +- GP name: *DmaGuardEnumerationPolicy* +- GP path: *System/Kernel DMA Protection* +- GP ADMX file name: *dmaguard.admx* + + + + + + + + + + + + +
                  + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index e1fb1b9965..aba6597add 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index 4b5b961ad9..472aa8161b 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - EnterpriseCloudPrint @@ -246,10 +246,10 @@ The default value is an empty string. Otherwise, the value should contain the UR cross mark - cross mark - cross mark - cross mark - cross mark + check mark2 + check mark2 + check mark2 + check mark2 check mark2 check mark2 diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index d2a31d1077..04063822ba 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 6c9a23cd61..991eab8855 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 38e01b4868..96f63a2056 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 07/30/2018 --- # Policy CSP - Experience @@ -21,6 +21,9 @@ ms.date: 04/16/2018 ## Experience policies
                  +
                  + Experience/AllowClipboardHistory +
                  Experience/AllowCopyPaste
                  @@ -87,9 +90,86 @@ ms.date: 04/16/2018
                  Experience/DoNotShowFeedbackNotifications
                  +
                  + Experience/DoNotSyncBrowserSettings +
                  +
                  + Experience/PreventUsersFromTurningOnBrowserSyncing +
                  +
                  + + +**Experience/AllowClipboardHistory** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Allows history of clipboard items to be stored in memory. + +Value type is integer. Supported values: +- 0 - Not allowed +- 1 - Allowed (default) + + + +ADMX Info: +- GP English name: *Allow Clipboard History* +- GP name: *AllowClipboardHistory* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + + + + + + + +**Validation procedure** + +1. Configure Experiences/AllowClipboardHistory to 0. +1. Open Notepad (or any editor app), select a text, and copy it to the clipboard. +1. Press Win+V to open the clipboard history UI. +1. You should not see any clipboard item including current item you copied. +1. The setting under Settings App->System->Clipboard should be grayed out with policy warning. + + + +
                  @@ -109,7 +189,7 @@ ms.date: 04/16/2018 cross mark cross mark - + cross mark cross mark cross mark check mark @@ -164,7 +244,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -224,7 +304,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -278,7 +358,7 @@ The following list shows the supported values: cross mark check mark2 - check mark2 + cross mark check mark2 check mark2 check mark2 @@ -340,7 +420,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -396,7 +476,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -470,7 +550,7 @@ This policy is deprecated. cross mark cross mark - + cross mark cross mark cross mark check mark @@ -546,7 +626,7 @@ This policy is deprecated. cross mark check mark - + check mark check mark check mark check mark @@ -596,9 +676,9 @@ The following list shows the supported values: cross mark check mark2 - check mark2 - check mark2 cross mark + check mark2 + check mark2 cross mark cross mark @@ -663,7 +743,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -719,7 +799,7 @@ The following list shows the supported values: check mark1 check mark1 check mark1 - cross mark + check mark1 cross mark cross mark @@ -779,7 +859,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -835,9 +915,9 @@ The following list shows the supported values: cross mark cross mark - check mark - check mark cross mark + check mark + check mark cross mark cross mark @@ -899,9 +979,9 @@ The following list shows the supported values: cross mark cross mark - check mark1 - check mark1 cross mark + check mark1 + check mark1 cross mark cross mark @@ -963,9 +1043,9 @@ The following list shows the supported values: cross mark cross mark - check mark2 - check mark2 cross mark + check mark2 + check mark2 cross mark cross mark @@ -1026,9 +1106,9 @@ The following list shows the supported values: cross mark cross mark - check mark4 - check mark4 cross mark + check mark4 + check mark4 @@ -1088,9 +1168,9 @@ The following list shows the supported values: cross mark cross mark - check mark2 - check mark2 cross mark + check mark2 + check mark2 cross mark cross mark @@ -1152,9 +1232,9 @@ The following list shows the supported values: cross mark cross mark - check mark - check mark cross mark + check mark + check mark cross mark cross mark @@ -1210,9 +1290,9 @@ The following list shows the supported values: cross mark cross mark - check mark1 - check mark1 cross mark + check mark1 + check mark1 cross mark cross mark @@ -1271,9 +1351,9 @@ The following list shows the supported values: Mobile Enterprise + cross mark check mark1 check mark1 - check mark1 check mark1 check mark1 @@ -1315,6 +1395,159 @@ The following list shows the supported values: + +
                  + + +**Experience/DoNotSyncBrowserSettings** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcross markcross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +[!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)] + +Related policy: + PreventUsersFromTurningOnBrowserSyncing + + + +ADMX Info: +- GP English name: *Do not sync browser settings* +- GP name: *DisableWebBrowserSettingSync* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +Supported values: + +- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes. +- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option. + +Value type is integer. + + + + + + + + + +
                  + + +**Experience/PreventUsersFromTurningOnBrowserSyncing** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcross markcross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + +Related policy: + DoNotSyncBrowserSettings + + +If you want to prevent syncing of browser settings and prevent users from turning it on: +1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled). +1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured). + +If you want to prevent syncing of browser settings but give users a choice to turn on syncing: +1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled). +1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled). + + + + +ADMX Info: +- GP English name: *Do not sync browser settings* +- GP name: *DisableWebBrowserSettingSync* +- GP element: *CheckBox_UserOverride* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +Supported values: + +- 0 - Allowed/turned on. Users can sync the browser settings. +- 1 (default) - Prevented/turned off. + +Value type is integer. + + + + + +**Validation procedure:** + +Microsoft Edge on your PC: +1. Select **More > Settings**. +1. See if the setting is enabled or disabled based on your setting. + + + +
                  Footnote: @@ -1323,13 +1556,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - -## Experience policies supported by Windows Holographic for Business - -- [Experience/AllowCortana](#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) - diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index bdf443d549..1d88286ceb 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index df185f9924..d427a7ed5c 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- # Policy CSP - FileExplorer -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index d14fd92fed..4b7c9efb2d 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index bdbcb764ae..a74fbeccf3 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - Handwriting @@ -44,7 +44,7 @@ ms.date: 03/12/2018 cross mark check mark3 - check mark3 + cross mark check mark3 check mark3 cross mark diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 580431a0ff..3cac24872a 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - InternetExplorer diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 974db5f350..2c1b567f4b 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index f662a910d4..fb8a4b73e9 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -5,14 +5,13 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/11/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - KioskBrowser -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user’s browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/en-us/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_). @@ -226,15 +225,6 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user clicks on the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk broswser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL. - - - - - - - - -
                  diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 15c57e928a..18bcc8cfed 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- # Policy CSP - LanmanWorkstation -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index eae5cdc5d7..79d19dcdbb 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - Licensing @@ -47,7 +47,7 @@ ms.date: 03/12/2018 cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -105,7 +105,7 @@ The following list shows the supported values: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index eba91fae44..47018e826f 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/06/2018 +author: MariciaAlforque +ms.date: 06/26/2018 --- # Policy CSP - LocalPoliciesSecurityOptions @@ -84,12 +84,18 @@ ms.date: 04/06/2018
                  LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
                  +
                  + LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways +
                  LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
                  LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
                  +
                  + LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession +
                  LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
                  @@ -102,15 +108,15 @@ ms.date: 04/06/2018
                  LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
                  -
                  - LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers -
                  LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
                  LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM +
                  LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
                  @@ -120,6 +126,9 @@ ms.date: 04/06/2018
                  LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
                  +
                  + LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients +
                  LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
                  @@ -811,6 +820,10 @@ GP Info: + +> [!Warning] +> Starting in the next major version of Windows, this policy is deprecated. + Domain member: Digitally encrypt or sign secure channel data (always) This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. @@ -837,15 +850,6 @@ GP Info: - GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - -
                  @@ -886,6 +890,10 @@ GP Info: + +> [!Warning] +> Starting in the next major version of Windows, this policy is deprecated. + Domain member: Digitally encrypt secure channel data (when possible) This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. @@ -909,15 +917,6 @@ GP Info: - GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - -
                  @@ -958,6 +957,10 @@ GP Info: + +> [!Warning] +> Starting in the next major version of Windows, this policy is deprecated. + Domain member: Disable machine account password changes Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. @@ -976,15 +979,6 @@ GP Info: - GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - -
                  @@ -1486,6 +1480,83 @@ GP Info:
                  + +**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Microsoft network client: Digitally sign communications (always) + +This security setting determines whether packet signing is required by the SMB client component. + +The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. + +If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. + +Default: Disabled. + + +Notes + +All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. +For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. + + + +GP Info: +- GP English name: *Microsoft network client: Digitally sign communications (always)* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
                  + **LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees** @@ -1609,6 +1680,72 @@ GP Info:
                  + +**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Microsoft network server: Amount of idle time required before suspending a session + +This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. + +Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. + +For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. + +Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. + + + +GP Info: +- GP English name: *Microsoft network server: Amount of idle time required before suspending session* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
                  + **LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways** @@ -1881,57 +2018,6 @@ GP Info:
                  - -**LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark4check mark4check mark4check mark4cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Network access: Let Everyone permissions apply to anonymous users - -This security setting determines what additional permissions are granted for anonymous connections to the computer. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission. - -If this policy is enabled, the Everyone SID is added to the token that is created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions. - -Default: Disabled. - - - - -
                  - **LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares** @@ -2042,6 +2128,78 @@ GP Info:
                  + +**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Network security: Allow Local System to use computer identity for NTLM + +This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + +If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. + +If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. + +By default, this policy is enabled on Windows 7 and above. + +By default, this policy is disabled on Windows Vista. + +This policy is supported on at least Windows Vista or Windows Server 2008. + +Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. + + + +GP Info: +- GP English name: *Network security: Allow Local System to use computer identity for NTLM* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
                  + **LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** @@ -2237,6 +2395,75 @@ GP Info:
                  + +**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + +This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: + +Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. +Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. + +Default: + +Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. + +Windows 7 and Windows Server 2008 R2: Require 128-bit encryption + + + +GP Info: +- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
                  + **LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers** @@ -2350,15 +2577,6 @@ GP Info: - GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - -
                  @@ -2420,15 +2638,6 @@ GP Info: - GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - -
                  @@ -2490,15 +2699,6 @@ GP Info: - GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - -
                  @@ -2560,15 +2760,6 @@ GP Info: - GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - -
                  @@ -3397,6 +3588,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md index 8117114323..8745836c59 100644 --- a/windows/client-management/mdm/policy-csp-location.md +++ b/windows/client-management/mdm/policy-csp-location.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - Location @@ -42,7 +42,7 @@ ms.date: 03/12/2018 Mobile Enterprise - check mark2 + cross mark check mark2 check mark2 check mark2 diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 228d2f75ec..afa30b7b07 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - LockDown @@ -44,7 +44,7 @@ ms.date: 03/12/2018 cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index 8b44913146..37f9f79bdb 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - Maps @@ -47,7 +47,7 @@ ms.date: 03/12/2018 cross mark check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -100,7 +100,7 @@ The following list shows the supported values: cross mark check mark1 - + check mark1 check mark1 check mark1 check mark1 diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index f1862d266d..9e96723b2f 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - Messaging @@ -102,10 +102,10 @@ The following list shows the supported values: cross mark + check mark1 cross mark - - cross mark - cross mark + check mark1 + check mark1 check mark1 check mark1 diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index bed4009f6a..5b9f201e0a 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- # Policy CSP - MSSecurityGuide -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index 85f1361fe8..dd2518efdf 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- # Policy CSP - MSSLegacy -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index d5d98f64b1..2e5574d79b 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - NetworkIsolation @@ -65,7 +65,7 @@ ms.date: 03/12/2018 cross mark check mark - + check mark check mark check mark check mark @@ -117,7 +117,7 @@ ADMX Info: cross mark check mark - + check mark check mark check mark check mark @@ -182,7 +182,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff cross mark check mark - + check mark check mark check mark check mark @@ -233,7 +233,7 @@ ADMX Info: cross mark check mark - + check mark check mark check mark check mark @@ -285,7 +285,7 @@ ADMX Info: cross mark check mark - + check mark check mark check mark check mark @@ -338,7 +338,7 @@ Here are the steps to create canonical domain names: cross mark check mark - + check mark check mark check mark check mark @@ -390,7 +390,7 @@ ADMX Info: cross mark check mark - + check mark check mark check mark check mark @@ -441,7 +441,7 @@ ADMX Info: cross mark check mark - + check mark check mark check mark check mark diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index e5838dc453..2d3a5e15e8 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - Notifications -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -81,6 +79,9 @@ If you disable or do not configure this policy setting, the client computer will No reboots or service restarts are required for this policy setting to take effect. +> [!Warning] +> This policy is designed for zero exhaust. This policy may cause some MDM processes to break because WNS notification is used by the MDM server to send real time tasks to the device, such as remote wipe, unenroll, remote find, and mandatory app installation. When this policy is set to disallow WNS, those real time processes will no longer work and some time-sensitive actions such as remote wipe when the device is stolen or unenrollment when the device is compromised will not work. + ADMX Info: @@ -101,7 +102,6 @@ Validation: 3. Ensure that you can't receive a notification from Facebook app while FB app isn't running -
                  @@ -123,7 +123,7 @@ Validation: cross mark check mark1 - + check mark1 check mark1 check mark1 check mark1 diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 9b6886930d..6a7dbb8a95 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index be94af174b..ae57e495a7 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 18b6e20034..52ede722ea 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -5,12 +5,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/19/2018 +author: MariciaAlforque +ms.date: 08/08/2018 --- # Policy CSP - Privacy +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -22,6 +24,9 @@ ms.date: 04/19/2018
                  Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
                  +
                  + Privacy/AllowCrossDeviceClipboard +
                  Privacy/AllowInputPersonalization
                  @@ -103,6 +108,18 @@ ms.date: 04/19/2018
                  Privacy/LetAppsAccessEmail_UserInControlOfTheseApps
                  +
                  + Privacy/LetAppsAccessGazeInput +
                  +
                  + Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps +
                  +
                  + Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps +
                  +
                  + Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps +
                  Privacy/LetAppsAccessLocation
                  @@ -250,6 +267,9 @@ ms.date: 04/19/2018
                  Privacy/PublishUserActivities
                  +
                  + Privacy/UploadUserActivities +
                  @@ -272,11 +292,11 @@ ms.date: 04/19/2018 check mark3 check mark3 - check mark3 check mark3 - check mark - check mark + check mark3 + check mark3 + check mark3 @@ -311,6 +331,72 @@ The following list shows the supported values:
                  + +**Privacy/AllowCrossDeviceClipboard** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, next major version. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Clipboard synchronization across devices* +- GP name: *AllowCrossDeviceClipboard* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +0 – Not allowed. +1 (default) – Allowed. + + + + + + + + + + +
                  + **Privacy/AllowInputPersonalization** @@ -326,9 +412,9 @@ The following list shows the supported values: Mobile Enterprise - cross mark check mark - + check mark + check mark check mark check mark check mark @@ -347,7 +433,7 @@ The following list shows the supported values: -Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. +Updated in Windows 10, next major version. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. Most restricted value is 0. @@ -364,7 +450,7 @@ ADMX Info: The following list shows the supported values: - 0 – Not allowed. -- 1 (default) – Allowed. +- 1 (default) – Choice deferred to user's preference. @@ -388,7 +474,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -507,7 +593,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -570,7 +656,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -622,7 +708,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -674,7 +760,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -726,7 +812,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -789,7 +875,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -841,7 +927,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -893,7 +979,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -945,7 +1031,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1008,7 +1094,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1060,7 +1146,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1112,7 +1198,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1164,7 +1250,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1227,7 +1313,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1279,7 +1365,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1331,7 +1417,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1383,7 +1469,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1446,7 +1532,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1498,7 +1584,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1550,7 +1636,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1602,7 +1688,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1665,7 +1751,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1717,7 +1803,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1769,7 +1855,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1804,6 +1890,214 @@ ADMX Info:
                  + +**Privacy/LetAppsAccessGazeInput** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting specifies whether Windows apps can access the eye tracker. + + + + + + + + + + + + + +
                  + + +**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + + + + + + + + + + +
                  + + +**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + + + + + + + + + + +
                  + + +**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + + + + + + + + + + +
                  + **Privacy/LetAppsAccessLocation** @@ -1821,7 +2115,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1884,7 +2178,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1936,7 +2230,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -1988,7 +2282,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2040,7 +2334,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2103,7 +2397,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2155,7 +2449,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2207,7 +2501,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2259,7 +2553,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2322,7 +2616,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2374,7 +2668,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2426,7 +2720,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2478,7 +2772,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2541,7 +2835,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2593,7 +2887,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2645,7 +2939,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2697,7 +2991,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2760,7 +3054,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2812,7 +3106,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2864,7 +3158,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2916,7 +3210,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -2979,7 +3273,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3031,7 +3325,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3083,7 +3377,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3135,7 +3429,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3198,7 +3492,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3250,7 +3544,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3302,7 +3596,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3562,7 +3856,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3625,7 +3919,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3677,7 +3971,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3729,7 +4023,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -3781,7 +4075,7 @@ ADMX Info: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark2 @@ -3844,7 +4138,7 @@ The following list shows the supported values: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark2 @@ -3896,7 +4190,7 @@ ADMX Info: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark2 @@ -3948,7 +4242,7 @@ ADMX Info: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark2 @@ -4000,7 +4294,7 @@ ADMX Info: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark2 @@ -4065,7 +4359,7 @@ The following list shows the supported values: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark2 @@ -4117,7 +4411,7 @@ ADMX Info: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark2 @@ -4169,7 +4463,7 @@ ADMX Info: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark2 @@ -4221,7 +4515,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -4284,7 +4578,7 @@ The following list shows the supported values: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -4336,7 +4630,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -4388,7 +4682,7 @@ ADMX Info: check mark1 check mark1 - + check mark1 check mark1 check mark1 check mark1 @@ -4478,6 +4772,66 @@ The following list shows the supported values: + +
                  + + +**Privacy/UploadUserActivities** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Allows ActivityFeed to upload published 'User Activities'. + + + +ADMX Info: +- GP English name: *Allow upload of User Activities* +- GP name: *UploadUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + + + + + + + + + +
                  Footnote: @@ -4486,40 +4840,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - -## Privacy policies supported by Windows Holographic for Business - -- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) - - - -## Privacy policies supported by IoT Core - -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) - - - -## Privacy policies supported by Microsoft Surface Hub - -- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/PublishUserActivities](#privacy-publishuseractivities) - diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 01e2f7e4b7..d66ad8a1f8 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 0e4be98697..6621ddedd2 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 96324dc5cc..39752ff60e 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 295bf5c56e..3422d53682 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index cbb9717f73..300e4c4f1f 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 8e59202bfb..78ef27da14 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/15/2018 --- # Policy CSP - RestrictedGroups -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 12b9c8386e..f51a32f819 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 07/30/2018 --- # Policy CSP - Search -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -202,7 +200,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -266,7 +264,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -346,7 +344,7 @@ This policy has been deprecated. cross mark check mark - + check mark check mark check mark check mark @@ -407,7 +405,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -450,7 +448,7 @@ Allow Windows indexer. Value type is integer. cross mark check mark - + check mark check mark check mark check mark @@ -511,7 +509,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -569,7 +567,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -694,7 +692,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -756,7 +754,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -814,7 +812,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -862,15 +860,5 @@ Footnote: - -## Search policies that can be set using Exchange Active Sync (EAS) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - - - -## Search policies supported by Windows Holographic for Business - -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index b03abc2582..e6171c839d 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - Security @@ -45,6 +45,9 @@ ms.date: 03/12/2018
                  Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
                  +
                  + Security/RecoveryEnvironmentAuthentication +
                  Security/RequireDeviceEncryption
                  @@ -76,7 +79,7 @@ ms.date: 03/12/2018 cross mark check mark - + check mark check mark check mark check mark @@ -176,7 +179,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -232,7 +235,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -282,7 +285,7 @@ The following list shows the supported values: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -395,7 +398,7 @@ The following list shows the supported values: Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 @@ -451,7 +454,7 @@ The following list shows the supported values: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -491,7 +494,7 @@ The following list shows the supported values:
                  -**Security/RequireDeviceEncryption** +**Security/RecoveryEnvironmentAuthentication** @@ -506,6 +509,87 @@ The following list shows the supported values: + + + + + + + +
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
                  + + + +Added in Windows 10, next major version. This policy controls the Admin Authentication requirement in RecoveryEnvironment. + +Supported values: +- 0 - Default: Keep using default(current) behavior +- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment +- 2 - NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment + + + + + + + + + +**Validation procedure** + +The validation requires a check whether Refresh ("Keep my files") and Reset ("Remove everything") requires admin authentication in WinRE. +The process of starting Push Button Reset (PBR) in WinRE: + +1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE. +1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything". + +If the MDM policy is set to "Default" (0) or does not exist, the admin authentication flow should work as default behavior: + +1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. +1. Click "<-" (right arrow) button and choose "Remove everything", it should not pop up admin authentication and just go to PBR options. + +If the MDM policy is set to "RequireAuthentication" (1) + +1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. +1. Click "<-" (right arrow) button and choose "Remove everything", it should also pop up admin authentication. + +If the MDM policy is set to "NoRequireAuthentication" (2) + +1. Start PBR in WinRE, choose "Keep my files", it should not pop up admin authentication. +1. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back. +1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it should not pop up admin authentication neither. + + + + +
                  + + +**Security/RequireDeviceEncryption** + + + + + + + + + + + + + + @@ -563,7 +647,7 @@ The following list shows the supported values: - + @@ -613,7 +697,7 @@ The following list shows the supported values: - + @@ -663,34 +747,9 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - -## Security policies that can be set using Exchange Active Sync (EAS) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - - - -## Security policies supported by Windows Holographic for Business - -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - - - -## Security policies supported by IoT Core - -- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) -- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) - - - -## Security policies supported by Microsoft Surface Hub - -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) - diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 5773e32200..a88b2464f6 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -5,14 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - Settings -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
                  @@ -85,7 +83,7 @@ ms.date: 03/12/2018 - + @@ -142,7 +140,7 @@ The following list shows the supported values: - + @@ -192,7 +190,7 @@ The following list shows the supported values: - + @@ -241,10 +239,10 @@ The following list shows the supported values: - - - - + + + + @@ -292,7 +290,7 @@ The following list shows the supported values: - + @@ -346,7 +344,7 @@ The following list shows the supported values: - + @@ -400,7 +398,7 @@ ADMX Info: - + @@ -454,7 +452,7 @@ The following list shows the supported values: - + @@ -508,7 +506,7 @@ The following list shows the supported values: - + @@ -562,7 +560,7 @@ The following list shows the supported values: - + @@ -612,7 +610,7 @@ The following list shows the supported values: - + @@ -666,7 +664,7 @@ The following list shows the supported values: - + @@ -851,10 +849,5 @@ Footnote: - -## Settings policies supported by Windows Holographic for Business -- [Settings/AllowDateTime](#settings-allowdatetime) -- [Settings/AllowVPN](#settings-allowvpn) - diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index 3eea69f19b..e7bdc48ee7 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- @@ -185,7 +185,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. +Added in Windows 10, version 1703. Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files. diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index 33cdd64750..43023aecdc 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - Speech @@ -42,9 +42,9 @@ ms.date: 03/12/2018 + - diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index d9d149dd3a..fce37d78d3 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - Start @@ -128,7 +128,7 @@ ms.date: 03/12/2018 - + @@ -179,7 +179,7 @@ The following list shows the supported values: - + @@ -230,7 +230,7 @@ The following list shows the supported values: - + @@ -281,7 +281,7 @@ The following list shows the supported values: - + @@ -332,7 +332,7 @@ The following list shows the supported values: - + @@ -383,7 +383,7 @@ The following list shows the supported values: - + @@ -434,7 +434,7 @@ The following list shows the supported values: - + @@ -485,7 +485,7 @@ The following list shows the supported values: - + @@ -536,7 +536,7 @@ The following list shows the supported values: - + @@ -587,7 +587,7 @@ The following list shows the supported values: - + @@ -637,8 +637,8 @@ The following list shows the supported values: - - + + @@ -696,7 +696,7 @@ The following list shows the supported values: - + @@ -762,7 +762,7 @@ The following list shows the supported values: - + @@ -819,7 +819,7 @@ To validate on Desktop, do the following: - + @@ -883,7 +883,7 @@ To validate on Desktop, do the following: - + @@ -944,7 +944,7 @@ To validate on Laptop, do the following: - + @@ -1054,7 +1054,7 @@ ADMX Info: - + @@ -1114,7 +1114,7 @@ To validate on Desktop, do the following: - + @@ -1181,7 +1181,7 @@ To validate on Desktop, do the following: - + @@ -1253,7 +1253,7 @@ To validate on Desktop, do the following: - + @@ -1310,7 +1310,7 @@ To validate on Desktop, do the following: - + @@ -1367,7 +1367,7 @@ To validate on Desktop, do the following: - + @@ -1424,7 +1424,7 @@ To validate on Desktop, do the following: - + @@ -1481,7 +1481,7 @@ To validate on Desktop, do the following: - + @@ -1538,7 +1538,7 @@ To validate on Desktop, do the following: - + @@ -1621,6 +1621,14 @@ To validate on Desktop, do the following: > [!NOTE] > This policy requires reboot to take effect. +Here is additional SKU support information: + +|Release |SKU Supported | +|---------|---------| +|Windows 10, version 1607 and older |Not supported | +|Windows 10, version 1703 and later |Enterprise, Education, Business | +|Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation | + Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files. > [!IMPORTANT] @@ -1659,7 +1667,7 @@ To validate on Desktop, do the following: - + @@ -1718,8 +1726,8 @@ To validate on Desktop, do the following: - - + + @@ -1740,7 +1748,15 @@ To validate on Desktop, do the following: > [!IMPORTANT] -> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope) +> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope) + +Here is additional SKU support information: + +|Release |SKU Supported | +|---------|---------| +|Windows 10, version 1511 and older |Not supported | +|Windows 10, version 1607 and later |Enterprise, Education, Business | +|Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation | Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index b27f3af35b..45727b2535 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 6c6ed3c4c9..63649af40c 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 07/30/2018 --- # Policy CSP - System @@ -48,6 +48,12 @@ ms.date: 03/12/2018
                  System/BootStartDriverInitialization
                  +
                  + System/ConfigureTelemetryOptInChangeNotification +
                  +
                  + System/ConfigureTelemetryOptInSettingsUx +
                  System/DisableEnterpriseAuthProxy
                  @@ -88,7 +94,7 @@ ms.date: 03/12/2018 - + @@ -153,7 +159,7 @@ The following list shows the supported values: - + @@ -205,7 +211,7 @@ The following list shows the supported values: - + @@ -333,7 +339,7 @@ To verify if System/AllowFontProviders is set to true: - + @@ -401,7 +407,7 @@ The following list shows the supported values: - + @@ -453,7 +459,7 @@ The following list shows the supported values: - + @@ -581,7 +587,7 @@ ADMX Info: - + @@ -685,6 +691,137 @@ ADMX Info:
                  + +**System/ConfigureTelemetryOptInChangeNotification** + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark check mark
                  check mark check markcheck mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark cross mark
                  cross mark check markcheck mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark check mark
                  cross markcross markcross markcross markcheck mark1check mark1check mark1check mark1 check mark1 check mark1
                  cross mark check markcheck mark check mark check mark cross mark
                  cross mark check mark3check mark3check mark check mark3 check mark3 cross mark
                  cross mark check markcheck mark check mark check mark cross mark
                  cross mark check markcheck mark check mark check mark cross mark
                  cross mark check markcheck mark check mark check mark cross mark
                  cross mark check markcheck mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark cross mark
                  cross mark check markcheck mark check mark check mark check mark Mobile Enterprise
                  cross mark check mark1 check mark1 check mark1 check mark1 check mark1
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross markcross markcheck markcheck mark check mark check mark cross mark
                  cross mark check mark3check mark3 check mark3 check mark3 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross mark check mark2check mark2 check mark2 check mark2 cross mark
                  cross markcross markcheck markcheck mark check mark check mark cross mark
                  cross mark check markcheck mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark check mark
                  cross mark check markcheck mark check mark check mark check mark
                  + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark4check mark4check mark4check mark4
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings.  +If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. +If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in change notifications.* +- GP name: *ConfigureTelemetryOptInChangeNotification* +- GP element: *ConfigureTelemetryOptInChangeNotification* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
                  + + +**System/ConfigureTelemetryOptInSettingsUx** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark4check mark4check mark4check mark4
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. + +If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. + +If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. + +Note: +Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in setting user interface.* +- GP name: *ConfigureTelemetryOptInSettingsUx* +- GP element: *ConfigureTelemetryOptInSettingsUx* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
                  + **System/DisableEnterpriseAuthProxy** @@ -1011,7 +1148,7 @@ ADMX Info: cross mark check mark - + check mark check mark check mark check mark @@ -1053,38 +1190,9 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - -## System policies that can be set using Exchange Active Sync (EAS) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) - - - -## System policies supported by Windows Holographic for Business - -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) - - - -## System policies supported by IoT Core - -- [System/AllowEmbeddedMode](#system-allowembeddedmode) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) - - - -## System policies supported by Microsoft Surface Hub - -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) - diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index 1efa6419f1..89a649fe5c 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- # Policy CSP - SystemServices -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md new file mode 100644 index 0000000000..7001fe088f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -0,0 +1,99 @@ +--- +title: Policy CSP - TaskManager +description: Policy CSP - TaskManager +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 07/05/2018 +--- + +# Policy CSP - TaskManager + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
                  + + +## TaskManager policies + +
                  +
                  + TaskManager/AllowEndTask +
                  +
                  + + +
                  + + +**TaskManager/AllowEndTask** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5cross markcheck mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This setting determines whether non-administrators can use Task Manager to end tasks. + +Value type is integer. Supported values: + - 0 - Disabled. EndTask functionality is blocked in TaskManager. + - 1 - Enabled (default). Users can perform EndTask in TaskManager. + + + + + + + + + +**Validation procedure:** +When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager +When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager + + + +
                  + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index 4ac73d9f96..94c33279b8 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- # Policy CSP - TaskScheduler -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 5f1af3e3c0..e96eb5340c 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - TextInput @@ -101,29 +101,6 @@ ms.date: 04/16/2018 **TextInput/AllowHardwareKeyboardTextSuggestions** - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark4check mark4check mark4check mark4
                  - - [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -134,16 +111,9 @@ ms.date: 04/16/2018 -Added in Windows 10, version 1803. Specifies text prediction for hardware keyboard is always disabled. When this policy is set to 0, text prediction for hardware keyboard is always disabled. +Added in Windows 10, version 1803. Placeholder only. Do not use in production environment. - -The following list shows the supported values: - -- 0 – Text prediction for the hardware keyboard is disabled and the switch is unusable (user cannot activate the feature). -- 1 (default) – Text prediction for the hardware keyboard is enabled. User can change the setting. - -
                  @@ -165,7 +135,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -275,7 +245,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -331,7 +301,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -388,7 +358,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -444,7 +414,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -500,7 +470,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -630,7 +600,7 @@ This policy has been deprecated. cross mark check mark - + check mark check mark check mark cross mark @@ -680,6 +650,30 @@ The following list shows the supported values: **TextInput/AllowLinguisticDataCollection** + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcross mark
                  + + + [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -690,6 +684,7 @@ The following list shows the supported values: +This policy setting controls the ability to send inking and typing data to Microsoft to improve the language recognition and suggestion capabilities of apps and services running on Windows. @@ -781,7 +776,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -835,7 +830,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -889,7 +884,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark cross mark @@ -1339,6 +1334,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 731fc2ae63..cac8f316bb 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 5462333ba5..fffc3f8361 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,3131 +1,7131 @@ ---- -title: Policy CSP - Update -description: Policy CSP - Update -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 ---- - -# Policy CSP - Update - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
                  - - -## Update policies - -
                  -
                  - Update/ActiveHoursEnd -
                  -
                  - Update/ActiveHoursMaxRange -
                  -
                  - Update/ActiveHoursStart -
                  -
                  - Update/AllowAutoUpdate -
                  -
                  - Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork -
                  -
                  - Update/AllowMUUpdateService -
                  -
                  - Update/AllowNonMicrosoftSignedUpdate -
                  -
                  - Update/AllowUpdateService -
                  -
                  - Update/AutoRestartDeadlinePeriodInDays -
                  -
                  - Update/AutoRestartNotificationSchedule -
                  -
                  - Update/AutoRestartRequiredNotificationDismissal -
                  -
                  - Update/BranchReadinessLevel -
                  -
                  - Update/ConfigureFeatureUpdateUninstallPeriod -
                  -
                  - Update/DeferFeatureUpdatesPeriodInDays -
                  -
                  - Update/DeferQualityUpdatesPeriodInDays -
                  -
                  - Update/DeferUpdatePeriod -
                  -
                  - Update/DeferUpgradePeriod -
                  -
                  - Update/DetectionFrequency -
                  -
                  - Update/DisableDualScan -
                  -
                  - Update/EngagedRestartDeadline -
                  -
                  - Update/EngagedRestartSnoozeSchedule -
                  -
                  - Update/EngagedRestartTransitionSchedule -
                  -
                  - Update/ExcludeWUDriversInQualityUpdate -
                  -
                  - Update/FillEmptyContentUrls -
                  -
                  - Update/IgnoreMOAppDownloadLimit -
                  -
                  - Update/IgnoreMOUpdateDownloadLimit -
                  -
                  - Update/ManagePreviewBuilds -
                  -
                  - Update/PauseDeferrals -
                  -
                  - Update/PauseFeatureUpdates -
                  -
                  - Update/PauseFeatureUpdatesStartTime -
                  -
                  - Update/PauseQualityUpdates -
                  -
                  - Update/PauseQualityUpdatesStartTime -
                  -
                  - Update/PhoneUpdateRestrictions -
                  -
                  - Update/RequireDeferUpgrade -
                  -
                  - Update/RequireUpdateApproval -
                  -
                  - Update/ScheduleImminentRestartWarning -
                  -
                  - Update/ScheduleRestartWarning -
                  -
                  - Update/ScheduledInstallDay -
                  -
                  - Update/ScheduledInstallEveryWeek -
                  -
                  - Update/ScheduledInstallFirstWeek -
                  -
                  - Update/ScheduledInstallFourthWeek -
                  -
                  - Update/ScheduledInstallSecondWeek -
                  -
                  - Update/ScheduledInstallThirdWeek -
                  -
                  - Update/ScheduledInstallTime -
                  -
                  - Update/SetAutoRestartNotificationDisable -
                  -
                  - Update/SetEDURestart -
                  -
                  - Update/UpdateServiceUrl -
                  -
                  - Update/UpdateServiceUrlAlternate -
                  -
                  - - -
                  - - -**Update/ActiveHoursEnd** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcheck mark1
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. - -> [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -The default is 17 (5 PM). - - - -ADMX Info: -- GP English name: *Turn off auto-restart for updates during active hours* -- GP name: *ActiveHours* -- GP element: *ActiveHoursEndTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/ActiveHoursMaxRange** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. - -Supported values are 8-18. - -The default value is 18 (hours). - - - -ADMX Info: -- GP English name: *Specify active hours range for auto-restarts* -- GP name: *ActiveHoursMaxRange* -- GP element: *ActiveHoursMaxRange* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/ActiveHoursStart** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcheck mark1
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. - -> [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -The default value is 8 (8 AM). - - - -ADMX Info: -- GP English name: *Turn off auto-restart for updates during active hours* -- GP name: *ActiveHours* -- GP element: *ActiveHoursStartTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/AllowAutoUpdate** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Enables the IT admin to manage automatic update behavior to scan, download, and install updates. - -Supported operations are Get and Replace. - - -> [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. -  - -If the policy is not configured, end-users get the default behavior (Auto install and restart). - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateMode* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. -- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. -- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. -- 5 – Turn off automatic updates. - - - - -
                  - - -**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer. - -A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. - -This policy is accessible through the Update setting in the user interface or Group Policy. - - - -ADMX Info: -- GP English name: *Allow updates to be downloaded automatically over metered connections* -- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Not allowed -- 1 - Allowed - - - - -
                  - - -**Update/AllowMUUpdateService** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AllowMUUpdateServiceId* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed or not configured. -- 1 – Allowed. Accepts updates received through Microsoft Update. - - - - -
                  - - -**Update/AllowNonMicrosoftSignedUpdate** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. - -Supported operations are Get and Replace. - -This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - - - -The following list shows the supported values: - -- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. - - - - -
                  - - -**Update/AllowUpdateService** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. - -Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store - -Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. - -> [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - - -ADMX Info: -- GP English name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 – Update service is not allowed. -- 1 (default) – Update service is allowed. - - - - -
                  - - -**Update/AutoRestartDeadlinePeriodInDays** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory. - -Supported values are 2-30 days. - -The default value is 7 days. - - - -ADMX Info: -- GP English name: *Specify deadline before auto-restart for update installation* -- GP name: *AutoRestartDeadline* -- GP element: *AutoRestartDeadline* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/AutoRestartNotificationSchedule** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. - -The default value is 15 (minutes). - - - -ADMX Info: -- GP English name: *Configure auto-restart reminder notifications for updates* -- GP name: *AutoRestartNotificationConfig* -- GP element: *AutoRestartNotificationSchd* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 15, 30, 60, 120, and 240 (minutes). - - - - -
                  - - -**Update/AutoRestartRequiredNotificationDismissal** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. - - - -ADMX Info: -- GP English name: *Configure auto-restart required notification for updates* -- GP name: *AutoRestartRequiredNotificationDismissal* -- GP element: *AutoRestartRequiredNotificationDismissal* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 1 (default) – Auto Dismissal. -- 2 – User Dismissal. - - - - -
                  - - -**Update/BranchReadinessLevel** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcheck mark1
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. - - - -ADMX Info: -- GP English name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *BranchReadinessLevelId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) -- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) -- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) -- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). -- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. - - - - -
                  - - -**Update/ConfigureFeatureUpdateUninstallPeriod** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark4check mark4check mark4check mark4cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. - - - - -
                  - - -**Update/DeferFeatureUpdatesPeriodInDays** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - -Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. - -Supported values are 0-365 days. - -> [!IMPORTANT] -> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. - - - -ADMX Info: -- GP English name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *DeferFeatureUpdatesPeriodId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/DeferQualityUpdatesPeriodInDays** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcheck mark1
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. - -Supported values are 0-30. - - - -ADMX Info: -- GP English name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *DeferQualityUpdatesPeriodId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/DeferUpdatePeriod** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to specify update delays for up to 4 weeks. - -Supported values are 0-4, which refers to the number of weeks to defer updates. - -In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: - -- Update/RequireDeferUpgrade must be set to 1 -- System/AllowTelemetry must be set to 1 or higher - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -OS upgrade: -- Maximum deferral: 8 months -- Deferral increment: 1 month -- Update type/notes: - - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 - -Update: -- Maximum deferral: 1 month -- Deferral increment: 1 week -- Update type/notes: - If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 - -Other/cannot defer: -- Maximum deferral: No deferral -- Deferral increment: No deferral -- Update type/notes: - Any update category not specifically enumerated above falls into this category. - - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B - - - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpdatePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/DeferUpgradePeriod** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -> [!NOTE] -> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to specify additional upgrade delays for up to 8 months. - -Supported values are 0-8, which refers to the number of months to defer upgrades. - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpgradePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/DetectionFrequency** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. - - - -ADMX Info: -- GP English name: *Automatic Updates detection frequency* -- GP name: *DetectionFrequency_Title* -- GP element: *DetectionFrequency_Hour2* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/DisableDualScan** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. - -For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/). - -This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update." - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. - - - -ADMX Info: -- GP English name: *Do not allow update deferral policies to cause scans against Windows Update* -- GP name: *DisableDualScan* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - allow scan against Windows Update -- 1 - do not allow update deferral policies to cause scans against Windows Update - - - - -
                  - - -**Update/EngagedRestartDeadline** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). - -Supported values are 2-30 days. - -The default value is 0 days (not specified). - - - -ADMX Info: -- GP English name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartDeadline* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/EngagedRestartSnoozeSchedule** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. - -Supported values are 1-3 days. - -The default value is 3 days. - - - -ADMX Info: -- GP English name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartSnoozeSchedule* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/EngagedRestartTransitionSchedule** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. - -Supported values are 2-30 days. - -The default value is 7 days. - - - -ADMX Info: -- GP English name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartTransitionSchedule* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/ExcludeWUDriversInQualityUpdate** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -> [!NOTE] -> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - -Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. - - - -ADMX Info: -- GP English name: *Do not include drivers with Windows Updates* -- GP name: *ExcludeWUDriversInQualityUpdate* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Allow Windows Update drivers. -- 1 – Exclude Windows Update drivers. - - - - -
                  - - -**Update/FillEmptyContentUrls** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2cross markcheck mark2check mark2cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). - -> [!NOTE] -> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. - - - -ADMX Info: -- GP English name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUFillEmptyContentUrls* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - - - - -
                  - - -**Update/IgnoreMOAppDownloadLimit** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - - - -The following list shows the supported values: - -- 0 (default) – Do not ignore MO download limit for apps and their updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. - - - -To validate this policy: - -1. Enable the policy ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: - - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` - - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - -
                  - - -**Update/IgnoreMOUpdateDownloadLimit** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - - - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - - -The following list shows the supported values: - -- 0 (default) – Do not ignore MO download limit for OS updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. - - - -To validate this policy: - -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: - - - - -
                  - - -**Update/ManagePreviewBuilds** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. - - - -ADMX Info: -- GP English name: *Manage preview builds* -- GP name: *ManagePreviewBuilds* -- GP element: *ManagePreviewBuildsId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - Disable Preview builds -- 1 - Disable Preview builds once the next release is public -- 2 - Enable Preview builds - - - - -
                  - - -**Update/PauseDeferrals** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. - - -Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. - - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *PauseDeferralsId* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Deferrals are not paused. -- 1 – Deferrals are paused. - - - - -
                  - - -**Update/PauseFeatureUpdates** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - - -Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. - - - -ADMX Info: -- GP English name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *PauseFeatureUpdatesId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Feature Updates are not paused. -- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - - - - -
                  - - -**Update/PauseFeatureUpdatesStartTime** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. - -Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - -ADMX Info: -- GP English name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *PauseFeatureUpdatesStartId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/PauseQualityUpdates** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcheck mark1
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. - - - -ADMX Info: -- GP English name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *PauseQualityUpdatesId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Quality Updates are not paused. -- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - - - - -
                  - - -**Update/PauseQualityUpdatesStartTime** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. - -Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - -ADMX Info: -- GP English name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *PauseQualityUpdatesStartId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/PhoneUpdateRestrictions** - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead. - - - - -
                  - - -**Update/RequireDeferUpgrade** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. - - -Allows the IT admin to set a device to Semi-Annual Channel train. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpgradePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted). -- 1 – User gets upgrades from Semi-Annual Channel. - - - - -
                  - - -**Update/RequireUpdateApproval** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -> [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. - - -Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. - -Supported operations are Get and Replace. - - - -The following list shows the supported values: - -- 0 – Not configured. The device installs all applicable updates. -- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. - - - - -
                  - - -**Update/ScheduleImminentRestartWarning** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. - -The default value is 15 (minutes). - - - -ADMX Info: -- GP English name: *Configure auto-restart warning notifications schedule for updates* -- GP name: *RestartWarnRemind* -- GP element: *RestartWarn* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 15, 30, or 60 (minutes). - - - - -
                  - - -**Update/ScheduleRestartWarning** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. - -The default value is 4 (hours). - - - -ADMX Info: -- GP English name: *Configure auto-restart warning notifications schedule for updates* -- GP name: *RestartWarnRemind* -- GP element: *RestartWarnRemind* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 2, 4, 8, 12, or 24 (hours). - - - - -
                  - - -**Update/ScheduledInstallDay** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Enables the IT admin to schedule the day of the update installation. - -The data type is a integer. - -Supported operations are Add, Delete, Get, and Replace. - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchDay* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday - - - - -
                  - - -**Update/ScheduledInstallEveryWeek** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: -
                    -
                  • 0 - no update in the schedule
                    • -
                  • 1 - update is scheduled every week
                    • -
                  - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchEveryWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/ScheduledInstallFirstWeek** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: -
                    -
                  • 0 - no update in the schedule
                    • -
                  • 1 - update is scheduled every first week of the month
                    • -
                  - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchFirstWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/ScheduledInstallFourthWeek** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: -
                    -
                  • 0 - no update in the schedule
                    • -
                  • 1 - update is scheduled every fourth week of the month
                    • -
                  - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *ScheduledInstallFourthWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/ScheduledInstallSecondWeek** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: -
                    -
                  • 0 - no update in the schedule
                    • -
                  • 1 - update is scheduled every second week of the month
                    • -
                  - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *ScheduledInstallSecondWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/ScheduledInstallThirdWeek** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: -
                    -
                  • 0 - no update in the schedule
                    • -
                  • 1 - update is scheduled every third week of the month
                    • -
                  - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *ScheduledInstallThirdWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/ScheduledInstallTime** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise - - -Enables the IT admin to schedule the time of the update installation. - -The data type is a integer. - -Supported operations are Add, Delete, Get, and Replace. - -Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. - -The default value is 3. - - - -ADMX Info: -- GP English name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
                  - - -**Update/SetAutoRestartNotificationDisable** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. - - - -ADMX Info: -- GP English name: *Turn off auto-restart notifications for update installations* -- GP name: *AutoRestartNotificationDisable* -- GP element: *AutoRestartNotificationSchd* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - - - - -
                  - - -**Update/SetEDURestart** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. - - - -ADMX Info: -- GP English name: *Update Power Policy for Cart Restarts* -- GP name: *SetEDURestart* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - not configured -- 1 - configured - - - - -
                  - - -**Update/UpdateServiceUrl** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcross markcheck mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -> [!Important] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. - -Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet. - -Supported operations are Get and Replace. - - - -ADMX Info: -- GP English name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUURL_Name* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. - - - -Example - -``` syntax - - $CmdID$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl - - http://abcd-srv:8530 - - -``` - - - - -
                  - - -**Update/UpdateServiceUrlAlternate** - - - - - - - - - - - - - - - - - - - - - -
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1cross markcross mark
                  - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
                  - - - -Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. - -This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. - -To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. - -Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. - -> [!Note] -> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. -> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - - - -ADMX Info: -- GP English name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUContentHost_Name* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -
                  - -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. - - - - -## Update policies supported by Windows Holographic for Business - -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Update policies supported by IoT Core - -- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/PauseDeferrals](#update-pausedeferrals) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/ScheduledInstallDay](#update-scheduledinstallday) -- [Update/ScheduledInstallTime](#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Update policies supported by Microsoft Surface Hub - -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) -- [Update/BranchReadinessLevel](#update-branchreadinesslevel) -- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) -- [Update/DetectionFrequency](#update-detectionfrequency) -- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](#update-pausequalityupdates) -- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](#update-schedulerestartwarning) -- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) -- [Update/UpdateServiceUrl](#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) - - +--- +title: Policy CSP - Update +description: Policy CSP - Update +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/08/2018 +--- + +# Policy CSP - Update + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
                  + + +## Update policies + +
                  +
                  + Update/ActiveHoursEnd +
                  +
                  + Update/ActiveHoursMaxRange +
                  +
                  + Update/ActiveHoursStart +
                  +
                  + Update/AllowAutoUpdate +
                  +
                  + Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork +
                  +
                  + Update/AllowMUUpdateService +
                  +
                  + Update/AllowNonMicrosoftSignedUpdate +
                  +
                  + Update/AllowUpdateService +
                  +
                  + Update/AutoRestartDeadlinePeriodInDays +
                  +
                  + Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates +
                  +
                  + Update/AutoRestartNotificationSchedule +
                  +
                  + Update/AutoRestartRequiredNotificationDismissal +
                  +
                  + Update/BranchReadinessLevel +
                  +
                  + Update/ConfigureFeatureUpdateUninstallPeriod +
                  +
                  + Update/DeferFeatureUpdatesPeriodInDays +
                  +
                  + Update/DeferQualityUpdatesPeriodInDays +
                  +
                  + Update/DeferUpdatePeriod +
                  +
                  + Update/DeferUpgradePeriod +
                  +
                  + Update/DetectionFrequency +
                  +
                  + Update/DisableDualScan +
                  +
                  + Update/EngagedRestartDeadline +
                  +
                  + Update/EngagedRestartDeadlineForFeatureUpdates +
                  +
                  + Update/EngagedRestartSnoozeSchedule +
                  +
                  + Update/EngagedRestartSnoozeScheduleForFeatureUpdates +
                  +
                  + Update/EngagedRestartTransitionSchedule +
                  +
                  + Update/EngagedRestartTransitionScheduleForFeatureUpdates +
                  +
                  + Update/ExcludeWUDriversInQualityUpdate +
                  +
                  + Update/FillEmptyContentUrls +
                  +
                  + Update/IgnoreMOAppDownloadLimit +
                  +
                  + Update/IgnoreMOUpdateDownloadLimit +
                  +
                  + Update/ManagePreviewBuilds +
                  +
                  + Update/PauseDeferrals +
                  +
                  + Update/PauseFeatureUpdates +
                  +
                  + Update/PauseFeatureUpdatesStartTime +
                  +
                  + Update/PauseQualityUpdates +
                  +
                  + Update/PauseQualityUpdatesStartTime +
                  +
                  + Update/PhoneUpdateRestrictions +
                  +
                  + Update/RequireDeferUpgrade +
                  +
                  + Update/RequireUpdateApproval +
                  +
                  + Update/ScheduleImminentRestartWarning +
                  +
                  + Update/ScheduleRestartWarning +
                  +
                  + Update/ScheduledInstallDay +
                  +
                  + Update/ScheduledInstallEveryWeek +
                  +
                  + Update/ScheduledInstallFirstWeek +
                  +
                  + Update/ScheduledInstallFourthWeek +
                  +
                  + Update/ScheduledInstallSecondWeek +
                  +
                  + Update/ScheduledInstallThirdWeek +
                  +
                  + Update/ScheduledInstallTime +
                  +
                  + Update/SetAutoRestartNotificationDisable +
                  +
                  + Update/SetDisablePauseUXAccess +
                  +
                  + Update/SetDisableUXWUAccess +
                  +
                  + Update/SetEDURestart +
                  +
                  + Update/UpdateNotificationLevel +
                  +
                  + Update/UpdateServiceUrl +
                  +
                  + Update/UpdateServiceUrlAlternate +
                  +
                  + + +
                  + + +**Update/ActiveHoursEnd** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. + +> [!NOTE] +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. + +Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +The default is 17 (5 PM). + + + +ADMX Info: +- GP English name: *Turn off auto-restart for updates during active hours* +- GP name: *ActiveHours* +- GP element: *ActiveHoursEndTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ActiveHoursMaxRange** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. + +Supported values are 8-18. + +The default value is 18 (hours). + + + +ADMX Info: +- GP English name: *Specify active hours range for auto-restarts* +- GP name: *ActiveHoursMaxRange* +- GP element: *ActiveHoursMaxRange* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ActiveHoursStart** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. + +> [!NOTE] +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. + +Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +The default value is 8 (8 AM). + + + +ADMX Info: +- GP English name: *Turn off auto-restart for updates during active hours* +- GP name: *ActiveHours* +- GP element: *ActiveHoursStartTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/AllowAutoUpdate** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Enables the IT admin to manage automatic update behavior to scan, download, and install updates. + +Supported operations are Get and Replace. + + +> [!IMPORTANT] +> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. +  + +If the policy is not configured, end-users get the default behavior (Auto install and restart). + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateMode* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. +- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. +- 5 – Turn off automatic updates. + + + + +
                  + + +**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer. + +A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. + +This policy is accessible through the Update setting in the user interface or Group Policy. + + + +ADMX Info: +- GP English name: *Allow updates to be downloaded automatically over metered connections* +- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) - Not allowed +- 1 - Allowed + + + + +
                  + + +**Update/AllowMUUpdateService** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AllowMUUpdateServiceId* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed or not configured. +- 1 – Allowed. Accepts updates received through Microsoft Update. + + + + +
                  + + +**Update/AllowNonMicrosoftSignedUpdate** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. + +Supported operations are Get and Replace. + +This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + + + +The following list shows the supported values: + +- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. +- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. + + + + +
                  + + +**Update/AllowUpdateService** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. + +Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store + +Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. + +> [!NOTE] +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 – Update service is not allowed. +- 1 (default) – Update service is allowed. + + + + +
                  + + +**Update/AutoRestartDeadlinePeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. + +Value type is integer. Default is 7 days. + +Supported values range: 2-30. + +Note that the PC must restart for certain updates to take effect. + +If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. + +If you disable or do not configure this policy, the PC will restart according to the default schedule. + +If any of the following two policies are enabled, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + +ADMX Info: +- GP English name: *Specify deadline before auto-restart for update installation* +- GP name: *AutoRestartDeadline* +- GP element: *AutoRestartDeadline* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. + +Value type is integer. Default is 7 days. + +Supported values range: 2-30. + +Note that the PC must restart for certain updates to take effect. + +If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. + +If you disable or do not configure this policy, the PC will restart according to the default schedule. + +If any of the following two policies are enabled, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + +ADMX Info: +- GP English name: *Specify deadline before auto-restart for update installation* +- GP name: *AutoRestartDeadline* +- GP element: *AutoRestartDeadlineForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/AutoRestartNotificationSchedule** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. + +The default value is 15 (minutes). + + + +ADMX Info: +- GP English name: *Configure auto-restart reminder notifications for updates* +- GP name: *AutoRestartNotificationConfig* +- GP element: *AutoRestartNotificationSchd* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values are 15, 30, 60, 120, and 240 (minutes). + + + + +
                  + + +**Update/AutoRestartRequiredNotificationDismissal** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. + + + +ADMX Info: +- GP English name: *Configure auto-restart required notification for updates* +- GP name: *AutoRestartRequiredNotificationDismissal* +- GP element: *AutoRestartRequiredNotificationDismissal* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 1 (default) – Auto Dismissal. +- 2 – User Dismissal. + + + + +
                  + + +**Update/BranchReadinessLevel** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *BranchReadinessLevelId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) +- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) +- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) +- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). +- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. + + + + +
                  + + +**Update/ConfigureFeatureUpdateUninstallPeriod** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark4check mark4check mark4check mark4cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. + + + + +
                  + + +**Update/DeferFeatureUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. + +Supported values are 0-365 days. + +> [!IMPORTANT] +> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *DeferFeatureUpdatesPeriodId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DeferQualityUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. + +Supported values are 0-30. + + + +ADMX Info: +- GP English name: *Select when Quality Updates are received* +- GP name: *DeferQualityUpdates* +- GP element: *DeferQualityUpdatesPeriodId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DeferUpdatePeriod** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. + + +Allows IT Admins to specify update delays for up to 4 weeks. + +Supported values are 0-4, which refers to the number of weeks to defer updates. + +In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: + +- Update/RequireDeferUpgrade must be set to 1 +- System/AllowTelemetry must be set to 1 or higher + +If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +OS upgrade: +- Maximum deferral: 8 months +- Deferral increment: 1 month +- Update type/notes: + - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 + +Update: +- Maximum deferral: 1 month +- Deferral increment: 1 week +- Update type/notes: + If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 + +Other/cannot defer: +- Maximum deferral: No deferral +- Deferral increment: No deferral +- Update type/notes: + Any update category not specifically enumerated above falls into this category. + - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B + + + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *DeferUpdatePeriodId* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DeferUpgradePeriod** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. + + +Allows IT Admins to specify additional upgrade delays for up to 8 months. + +Supported values are 0-8, which refers to the number of months to defer upgrades. + +If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *DeferUpgradePeriodId* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DetectionFrequency** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + + + +ADMX Info: +- GP English name: *Automatic Updates detection frequency* +- GP name: *DetectionFrequency_Title* +- GP element: *DetectionFrequency_Hour2* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DisableDualScan** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. + +For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/). + +This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update." + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + +ADMX Info: +- GP English name: *Do not allow update deferral policies to cause scans against Windows Update* +- GP name: *DisableDualScan* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - allow scan against Windows Update +- 1 - do not allow update deferral policies to cause scans against Windows Update + + + + +
                  + + +**Update/EngagedRestartDeadline** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +Value type is integer. Default is 14. + +Supported value range: 2 - 30. + +If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartDeadline* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/EngagedRestartDeadlineForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +Value type is integer. Default is 14. + +Supported value range: 2 - 30. + +If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartDeadlineForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/EngagedRestartSnoozeSchedule** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +Value type is integer. Default is 3 days. + +Supported value range: 1 - 3. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartSnoozeSchedule* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/EngagedRestartSnoozeScheduleForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +Value type is integer. Default is 3 days. + +Supported value range: 1 - 3. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartSnoozeScheduleForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/EngagedRestartTransitionSchedule** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +Value type is integer. + +Supported value range: 0 - 30. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartTransitionSchedule* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/EngagedRestartTransitionScheduleForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +Value type is integer. + +Supported value range: 0 - 30. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartTransitionScheduleForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ExcludeWUDriversInQualityUpdate** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. + + + +ADMX Info: +- GP English name: *Do not include drivers with Windows Updates* +- GP name: *ExcludeWUDriversInQualityUpdate* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Allow Windows Update drivers. +- 1 – Exclude Windows Update drivers. + + + + +
                  + + +**Update/FillEmptyContentUrls** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). + +> [!NOTE] +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUFillEmptyContentUrls* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + + + + +
                  + + +**Update/IgnoreMOAppDownloadLimit** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + + + +The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for apps and their updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. + + + +To validate this policy: + +1. Enable the policy ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: + - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` + + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + + +
                  + + +**Update/IgnoreMOUpdateDownloadLimit** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + + + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + +The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for OS updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. + + + +To validate this policy: + +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: + + + + +
                  + + +**Update/ManagePreviewBuilds** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. + + + +ADMX Info: +- GP English name: *Manage preview builds* +- GP name: *ManagePreviewBuilds* +- GP element: *ManagePreviewBuildsId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - Disable Preview builds +- 1 - Disable Preview builds once the next release is public +- 2 - Enable Preview builds + + + + +
                  + + +**Update/PauseDeferrals** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. + + +Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. + + +If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *PauseDeferralsId* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Deferrals are not paused. +- 1 – Deferrals are paused. + + + + +
                  + + +**Update/PauseFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + + +Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *PauseFeatureUpdatesId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Feature Updates are not paused. +- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. + + + + +
                  + + +**Update/PauseFeatureUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. + +Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *PauseFeatureUpdatesStartId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/PauseQualityUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. + + + +ADMX Info: +- GP English name: *Select when Quality Updates are received* +- GP name: *DeferQualityUpdates* +- GP element: *PauseQualityUpdatesId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Quality Updates are not paused. +- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. + + + + +
                  + + +**Update/PauseQualityUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. + +Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + +ADMX Info: +- GP English name: *Select when Quality Updates are received* +- GP name: *DeferQualityUpdates* +- GP element: *PauseQualityUpdatesStartId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/PhoneUpdateRestrictions** + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead. + + + + +
                  + + +**Update/RequireDeferUpgrade** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. + + +Allows the IT admin to set a device to Semi-Annual Channel train. + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *DeferUpgradePeriodId* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted). +- 1 – User gets upgrades from Semi-Annual Channel. + + + + +
                  + + +**Update/RequireUpdateApproval** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. + + +Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. + +Supported operations are Get and Replace. + + + +The following list shows the supported values: + +- 0 – Not configured. The device installs all applicable updates. +- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. + + + + +
                  + + +**Update/ScheduleImminentRestartWarning** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. + +The default value is 15 (minutes). + + + +ADMX Info: +- GP English name: *Configure auto-restart warning notifications schedule for updates* +- GP name: *RestartWarnRemind* +- GP element: *RestartWarn* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values are 15, 30, or 60 (minutes). + + + + +
                  + + +**Update/ScheduleRestartWarning** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. + +The default value is 4 (hours). + + + +ADMX Info: +- GP English name: *Configure auto-restart warning notifications schedule for updates* +- GP name: *RestartWarnRemind* +- GP element: *RestartWarnRemind* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values are 2, 4, 8, 12, or 24 (hours). + + + + +
                  + + +**Update/ScheduledInstallDay** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Enables the IT admin to schedule the day of the update installation. + +The data type is a integer. + +Supported operations are Add, Delete, Get, and Replace. + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchDay* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Every day +- 1 – Sunday +- 2 – Monday +- 3 – Tuesday +- 4 – Wednesday +- 5 – Thursday +- 6 – Friday +- 7 – Saturday + + + + +
                  + + +**Update/ScheduledInstallEveryWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every week
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchEveryWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallFirstWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every first week of the month
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchFirstWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallFourthWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every fourth week of the month
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallFourthWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallSecondWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every second week of the month
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallSecondWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallThirdWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every third week of the month
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallThirdWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallTime** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +Enables the IT admin to schedule the time of the update installation. + +The data type is a integer. + +Supported operations are Add, Delete, Get, and Replace. + +Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. + +The default value is 3. + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/SetAutoRestartNotificationDisable** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. + + + +ADMX Info: +- GP English name: *Turn off auto-restart notifications for update installations* +- GP name: *AutoRestartNotificationDisable* +- GP element: *AutoRestartNotificationSchd* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Enabled +- 1 – Disabled + + + + +
                  + + +**Update/SetDisablePauseUXAccess** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user cannot access the "Pause updates" feature. + +Value type is integer. Default is 0. Supported values 0, 1. + + + +ADMX Info: +- GP name: *SetDisablePauseUXAccess* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/SetDisableUXWUAccess** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. + +Value type is integer. Default is 0. Supported values 0, 1. + + + +ADMX Info: +- GP name: *SetDisableUXWUAccess* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/SetEDURestart** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. + + + +ADMX Info: +- GP English name: *Update Power Policy for Cart Restarts* +- GP name: *SetEDURestart* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - not configured +- 1 - configured + + + + +
                  + + +**Update/UpdateNotificationLevel** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed. + +Options: + +- 0 (default) – Use the default Windows Update notifications +- 1 – Turn off all notifications, excluding restart warnings +- 2 – Turn off all notifications, including restart warnings + +> [!Important] +> If you choose not to get update notifications and also define other Group policies so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. + + + +ADMX Info: +- GP English name: *Display options for update notifications* +- GP name: *UpdateNotificationLevel* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
                  + + +**Update/UpdateServiceUrl** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!Important] +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. + +Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. + +Supported operations are Get and Replace. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUURL_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- Not configured. The device checks for updates from Microsoft Update. +- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. + + + +Example + +``` syntax + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + +``` + + + + +
                  + + +**Update/UpdateServiceUrlAlternate** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. + +This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. + +To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. + +Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. + +> [!Note] +> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. +> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. +> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUContentHost_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +
                  + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + + +## Update policies supported by IoT Core + +- [Update/UpdateNotificationLevel](#update-updatenotificationlevel) + + +--- +title: Policy CSP - Update +description: Policy CSP - Update +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/06/2018 +--- + +# Policy CSP - Update + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
                  + + +## Update policies + +
                  +
                  + Update/ActiveHoursEnd +
                  +
                  + Update/ActiveHoursMaxRange +
                  +
                  + Update/ActiveHoursStart +
                  +
                  + Update/AllowAutoUpdate +
                  +
                  + Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork +
                  +
                  + Update/AllowMUUpdateService +
                  +
                  + Update/AllowNonMicrosoftSignedUpdate +
                  +
                  + Update/AllowUpdateService +
                  +
                  + Update/AutoRestartDeadlinePeriodInDays +
                  +
                  + Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates +
                  +
                  + Update/AutoRestartNotificationSchedule +
                  +
                  + Update/AutoRestartRequiredNotificationDismissal +
                  +
                  + Update/BranchReadinessLevel +
                  +
                  + Update/ConfigureFeatureUpdateUninstallPeriod +
                  +
                  + Update/DeferFeatureUpdatesPeriodInDays +
                  +
                  + Update/DeferQualityUpdatesPeriodInDays +
                  +
                  + Update/DeferUpdatePeriod +
                  +
                  + Update/DeferUpgradePeriod +
                  +
                  + Update/DetectionFrequency +
                  +
                  + Update/DisableDualScan +
                  +
                  + Update/EngagedRestartDeadline +
                  +
                  + Update/EngagedRestartDeadlineForFeatureUpdates +
                  +
                  + Update/EngagedRestartSnoozeSchedule +
                  +
                  + Update/EngagedRestartSnoozeScheduleForFeatureUpdates +
                  +
                  + Update/EngagedRestartTransitionSchedule +
                  +
                  + Update/EngagedRestartTransitionScheduleForFeatureUpdates +
                  +
                  + Update/ExcludeWUDriversInQualityUpdate +
                  +
                  + Update/FillEmptyContentUrls +
                  +
                  + Update/IgnoreMOAppDownloadLimit +
                  +
                  + Update/IgnoreMOUpdateDownloadLimit +
                  +
                  + Update/ManagePreviewBuilds +
                  +
                  + Update/PauseDeferrals +
                  +
                  + Update/PauseFeatureUpdates +
                  +
                  + Update/PauseFeatureUpdatesStartTime +
                  +
                  + Update/PauseQualityUpdates +
                  +
                  + Update/PauseQualityUpdatesStartTime +
                  +
                  + Update/PhoneUpdateRestrictions +
                  +
                  + Update/RequireDeferUpgrade +
                  +
                  + Update/RequireUpdateApproval +
                  +
                  + Update/ScheduleImminentRestartWarning +
                  +
                  + Update/ScheduleRestartWarning +
                  +
                  + Update/ScheduledInstallDay +
                  +
                  + Update/ScheduledInstallEveryWeek +
                  +
                  + Update/ScheduledInstallFirstWeek +
                  +
                  + Update/ScheduledInstallFourthWeek +
                  +
                  + Update/ScheduledInstallSecondWeek +
                  +
                  + Update/ScheduledInstallThirdWeek +
                  +
                  + Update/ScheduledInstallTime +
                  +
                  + Update/SetAutoRestartNotificationDisable +
                  +
                  + Update/SetDisablePauseUXAccess +
                  +
                  + Update/SetDisableUXWUAccess +
                  +
                  + Update/SetEDURestart +
                  +
                  + Update/UpdateServiceUrl +
                  +
                  + Update/UpdateServiceUrlAlternate +
                  +
                  + + +
                  + + +**Update/ActiveHoursEnd** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. + +> [!NOTE] +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. + +Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +The default is 17 (5 PM). + + + +ADMX Info: +- GP English name: *Turn off auto-restart for updates during active hours* +- GP name: *ActiveHours* +- GP element: *ActiveHoursEndTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ActiveHoursMaxRange** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. + +Supported values are 8-18. + +The default value is 18 (hours). + + + +ADMX Info: +- GP English name: *Specify active hours range for auto-restarts* +- GP name: *ActiveHoursMaxRange* +- GP element: *ActiveHoursMaxRange* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ActiveHoursStart** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. + +> [!NOTE] +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. + +Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +The default value is 8 (8 AM). + + + +ADMX Info: +- GP English name: *Turn off auto-restart for updates during active hours* +- GP name: *ActiveHours* +- GP element: *ActiveHoursStartTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/AllowAutoUpdate** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Enables the IT admin to manage automatic update behavior to scan, download, and install updates. + +Supported operations are Get and Replace. + + +> [!IMPORTANT] +> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. +  + +If the policy is not configured, end-users get the default behavior (Auto install and restart). + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateMode* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. +- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. +- 5 – Turn off automatic updates. +- 6 - When AllowAutoUpdate is set to 6, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by other policies. (Added Windows 10, next major version). + + + +
                  + + +**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer. + +A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. + +This policy is accessible through the Update setting in the user interface or Group Policy. + + + +ADMX Info: +- GP English name: *Allow updates to be downloaded automatically over metered connections* +- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) - Not allowed +- 1 - Allowed + + + + +
                  + + +**Update/AllowMUUpdateService** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AllowMUUpdateServiceId* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed or not configured. +- 1 – Allowed. Accepts updates received through Microsoft Update. + + + + +
                  + + +**Update/AllowNonMicrosoftSignedUpdate** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. + +Supported operations are Get and Replace. + +This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + + + +The following list shows the supported values: + +- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. +- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. + + + + +
                  + + +**Update/AllowUpdateService** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. + +Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store + +Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. + +> [!NOTE] +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 – Update service is not allowed. +- 1 (default) – Update service is allowed. + + + + +
                  + + +**Update/AutoRestartDeadlinePeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. + +Value type is integer. Default is 7 days. + +Supported values range: 2-30. + +Note that the PC must restart for certain updates to take effect. + +If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. + +If you disable or do not configure this policy, the PC will restart according to the default schedule. + +If any of the following two policies are enabled, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + +ADMX Info: +- GP English name: *Specify deadline before auto-restart for update installation* +- GP name: *AutoRestartDeadline* +- GP element: *AutoRestartDeadline* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. + +Value type is integer. Default is 7 days. + +Supported values range: 2-30. + +Note that the PC must restart for certain updates to take effect. + +If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. + +If you disable or do not configure this policy, the PC will restart according to the default schedule. + +If any of the following two policies are enabled, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + +ADMX Info: +- GP English name: *Specify deadline before auto-restart for update installation* +- GP name: *AutoRestartDeadline* +- GP element: *AutoRestartDeadlineForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
                  + + +**Update/AutoRestartNotificationSchedule** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. + +The default value is 15 (minutes). + + + +ADMX Info: +- GP English name: *Configure auto-restart reminder notifications for updates* +- GP name: *AutoRestartNotificationConfig* +- GP element: *AutoRestartNotificationSchd* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values are 15, 30, 60, 120, and 240 (minutes). + + + + +
                  + + +**Update/AutoRestartRequiredNotificationDismissal** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. + + + +ADMX Info: +- GP English name: *Configure auto-restart required notification for updates* +- GP name: *AutoRestartRequiredNotificationDismissal* +- GP element: *AutoRestartRequiredNotificationDismissal* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 1 (default) – Auto Dismissal. +- 2 – User Dismissal. + + + + +
                  + + +**Update/BranchReadinessLevel** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *BranchReadinessLevelId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) +- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) +- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) +- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). +- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. + + + + +
                  + + +**Update/ConfigureFeatureUpdateUninstallPeriod** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark4check mark4check mark4check mark4cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. + + + + +
                  + + +**Update/DeferFeatureUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. + +Supported values are 0-365 days. + +> [!IMPORTANT] +> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *DeferFeatureUpdatesPeriodId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DeferQualityUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. + +Supported values are 0-30. + + + +ADMX Info: +- GP English name: *Select when Quality Updates are received* +- GP name: *DeferQualityUpdates* +- GP element: *DeferQualityUpdatesPeriodId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DeferUpdatePeriod** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. + + +Allows IT Admins to specify update delays for up to 4 weeks. + +Supported values are 0-4, which refers to the number of weeks to defer updates. + +In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: + +- Update/RequireDeferUpgrade must be set to 1 +- System/AllowTelemetry must be set to 1 or higher + +If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +OS upgrade: +- Maximum deferral: 8 months +- Deferral increment: 1 month +- Update type/notes: + - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 + +Update: +- Maximum deferral: 1 month +- Deferral increment: 1 week +- Update type/notes: + If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 + +Other/cannot defer: +- Maximum deferral: No deferral +- Deferral increment: No deferral +- Update type/notes: + Any update category not specifically enumerated above falls into this category. + - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B + + + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *DeferUpdatePeriodId* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DeferUpgradePeriod** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. + + +Allows IT Admins to specify additional upgrade delays for up to 8 months. + +Supported values are 0-8, which refers to the number of months to defer upgrades. + +If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *DeferUpgradePeriodId* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DetectionFrequency** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + + + +ADMX Info: +- GP English name: *Automatic Updates detection frequency* +- GP name: *DetectionFrequency_Title* +- GP element: *DetectionFrequency_Hour2* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/DisableDualScan** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. + +For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/). + +This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update." + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + + + +ADMX Info: +- GP English name: *Do not allow update deferral policies to cause scans against Windows Update* +- GP name: *DisableDualScan* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - allow scan against Windows Update +- 1 - do not allow update deferral policies to cause scans against Windows Update + + + + +
                  + + +**Update/EngagedRestartDeadline** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +Value type is integer. Default is 14. + +Supported value range: 2 - 30. + +If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartDeadline* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/EngagedRestartDeadlineForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +Value type is integer. Default is 14. + +Supported value range: 2 - 30. + +If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling). + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartDeadlineForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
                  + + +**Update/EngagedRestartSnoozeSchedule** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +Value type is integer. Default is 3 days. + +Supported value range: 1 - 3. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartSnoozeSchedule* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/EngagedRestartSnoozeScheduleForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +Value type is integer. Default is 3 days. + +Supported value range: 1 - 3. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartSnoozeScheduleForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
                  + + +**Update/EngagedRestartTransitionSchedule** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +Value type is integer. + +Supported value range: 0 - 30. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartTransitionSchedule* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/EngagedRestartTransitionScheduleForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +Value type is integer. + +Supported value range: 0 - 30. + +If you disable or do not configure this policy, the default behaviors will be used. + +If any of the following policies are configured, this policy has no effect: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + +ADMX Info: +- GP English name: *Specify Engaged restart transition and notification schedule for updates* +- GP name: *EngagedRestartTransitionSchedule* +- GP element: *EngagedRestartTransitionScheduleForFeatureUpdates* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
                  + + +**Update/ExcludeWUDriversInQualityUpdate** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. + + + +ADMX Info: +- GP English name: *Do not include drivers with Windows Updates* +- GP name: *ExcludeWUDriversInQualityUpdate* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Allow Windows Update drivers. +- 1 – Exclude Windows Update drivers. + + + + +
                  + + +**Update/FillEmptyContentUrls** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). + +> [!NOTE] +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUFillEmptyContentUrls* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + + + + +
                  + + +**Update/IgnoreMOAppDownloadLimit** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + + + +The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for apps and their updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. + + + +To validate this policy: + +1. Enable the policy ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: + - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` + + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + + +
                  + + +**Update/IgnoreMOUpdateDownloadLimit** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + + + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + +The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for OS updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. + + + +To validate this policy: + +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: + + + + +
                  + + +**Update/ManagePreviewBuilds** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. + + + +ADMX Info: +- GP English name: *Manage preview builds* +- GP name: *ManagePreviewBuilds* +- GP element: *ManagePreviewBuildsId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - Disable Preview builds +- 1 - Disable Preview builds once the next release is public +- 2 - Enable Preview builds + + + + +
                  + + +**Update/PauseDeferrals** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. + + +Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. + + +If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *PauseDeferralsId* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Deferrals are not paused. +- 1 – Deferrals are paused. + + + + +
                  + + +**Update/PauseFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + + +Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *PauseFeatureUpdatesId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Feature Updates are not paused. +- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. + + + + +
                  + + +**Update/PauseFeatureUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. + +Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + +ADMX Info: +- GP English name: *Select when Preview Builds and Feature Updates are received* +- GP name: *DeferFeatureUpdates* +- GP element: *PauseFeatureUpdatesStartId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/PauseQualityUpdates** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcheck mark1
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. + + + +ADMX Info: +- GP English name: *Select when Quality Updates are received* +- GP name: *DeferQualityUpdates* +- GP element: *PauseQualityUpdatesId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Quality Updates are not paused. +- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. + + + + +
                  + + +**Update/PauseQualityUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. + +Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + +ADMX Info: +- GP English name: *Select when Quality Updates are received* +- GP name: *DeferQualityUpdates* +- GP element: *PauseQualityUpdatesStartId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/PhoneUpdateRestrictions** + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead. + + + + +
                  + + +**Update/RequireDeferUpgrade** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. + + +Allows the IT admin to set a device to Semi-Annual Channel train. + + + +ADMX Info: +- GP name: *DeferUpgrade* +- GP element: *DeferUpgradePeriodId* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – User gets upgrades from Semi-Annual Channel (Targeted). +- 1 – User gets upgrades from Semi-Annual Channel. + + + + +
                  + + +**Update/RequireUpdateApproval** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. + + +Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. + +Supported operations are Get and Replace. + + + +The following list shows the supported values: + +- 0 – Not configured. The device installs all applicable updates. +- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. + + + + +
                  + + +**Update/ScheduleImminentRestartWarning** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. + +The default value is 15 (minutes). + + + +ADMX Info: +- GP English name: *Configure auto-restart warning notifications schedule for updates* +- GP name: *RestartWarnRemind* +- GP element: *RestartWarn* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values are 15, 30, or 60 (minutes). + + + + +
                  + + +**Update/ScheduleRestartWarning** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. + +The default value is 4 (hours). + + + +ADMX Info: +- GP English name: *Configure auto-restart warning notifications schedule for updates* +- GP name: *RestartWarnRemind* +- GP element: *RestartWarnRemind* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values are 2, 4, 8, 12, or 24 (hours). + + + + +
                  + + +**Update/ScheduledInstallDay** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Enables the IT admin to schedule the day of the update installation. + +The data type is a integer. + +Supported operations are Add, Delete, Get, and Replace. + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchDay* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Every day +- 1 – Sunday +- 2 – Monday +- 3 – Tuesday +- 4 – Wednesday +- 5 – Thursday +- 6 – Friday +- 7 – Saturday + + + + +
                  + + +**Update/ScheduledInstallEveryWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every week
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchEveryWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallFirstWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every first week of the month
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchFirstWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallFourthWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every fourth week of the month
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallFourthWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallSecondWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every second week of the month
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallSecondWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallThirdWeek** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark3check mark3check mark3check mark3check mark3cross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: +
                    +
                  • 0 - no update in the schedule
                    • +
                  • 1 - update is scheduled every third week of the month
                    • +
                  + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *ScheduledInstallThirdWeek* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/ScheduledInstallTime** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +Enables the IT admin to schedule the time of the update installation. + +The data type is a integer. + +Supported operations are Add, Delete, Get, and Replace. + +Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. + +The default value is 3. + + + +ADMX Info: +- GP English name: *Configure Automatic Updates* +- GP name: *AutoUpdateCfg* +- GP element: *AutoUpdateSchTime* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + +
                  + + +**Update/SetAutoRestartNotificationDisable** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. + + + +ADMX Info: +- GP English name: *Turn off auto-restart notifications for update installations* +- GP name: *AutoRestartNotificationDisable* +- GP element: *AutoRestartNotificationSchd* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) – Enabled +- 1 – Disabled + + + + +
                  + + +**Update/SetDisablePauseUXAccess** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user cannot access the "Pause updates" feature. + +Value type is integer. Default is 0. Supported values 0, 1. + + + +ADMX Info: +- GP name: *SetDisablePauseUXAccess* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
                  + + +**Update/SetDisableUXWUAccess** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. + +Value type is integer. Default is 0. Supported values 0, 1. + + + +ADMX Info: +- GP name: *SetDisableUXWUAccess* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
                  + + +**Update/SetEDURestart** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. + + + +ADMX Info: +- GP English name: *Update Power Policy for Cart Restarts* +- GP name: *SetEDURestart* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 - not configured +- 1 - configured + + + + +
                  + + +**Update/UpdateServiceUrl** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck markcheck markcheck markcheck markcross markcheck mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +> [!Important] +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. + +Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. + +Supported operations are Get and Replace. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUURL_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- Not configured. The device checks for updates from Microsoft Update. +- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. + + + +Example + +``` syntax + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + +``` + + + + +
                  + + +**Update/UpdateServiceUrlAlternate** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark1check mark1check mark1check mark1cross markcross mark
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. + +This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. + +To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. + +Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. + +> [!Note] +> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. +> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. +> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + + + +ADMX Info: +- GP English name: *Specify intranet Microsoft update service location* +- GP name: *CorpWuURL* +- GP element: *CorpWUContentHost_Name* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + +
                  + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 3584468818..00b49c54f7 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/12/2018 --- # Policy CSP - UserRights -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 358dc3fc01..8d16e2c852 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - Wifi @@ -73,7 +73,7 @@ This policy has been deprecated. cross mark check mark - + check mark check mark check mark check mark @@ -133,7 +133,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark @@ -193,7 +193,7 @@ The following list shows the supported values: cross mark check mark1 - + check mark1 check mark1 check mark1 check mark @@ -248,7 +248,7 @@ The following list shows the supported values: cross mark check mark1 - + check mark1 check mark1 check mark1 check mark @@ -350,7 +350,7 @@ The following list shows the supported values: cross mark check mark - + check mark check mark check mark check mark diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 4f33bd0bdf..8f02a364ba 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- # Policy CSP - WindowsConnectionManager -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index c94d1e9dd5..25ff1652b7 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - WindowsDefenderSecurityCenter @@ -30,6 +30,9 @@ ms.date: 03/12/2018
                  WindowsDefenderSecurityCenter/DisableAppBrowserUI
                  +
                  + WindowsDefenderSecurityCenter/DisableClearTpmButton +
                  WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
                  @@ -48,6 +51,9 @@ ms.date: 03/12/2018
                  WindowsDefenderSecurityCenter/DisableNotifications
                  +
                  + WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning +
                  WindowsDefenderSecurityCenter/DisableVirusUI
                  @@ -72,6 +78,9 @@ ms.date: 03/12/2018
                  WindowsDefenderSecurityCenter/HideTPMTroubleshooting
                  +
                  + WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl +
                  WindowsDefenderSecurityCenter/Phone
                  @@ -98,7 +107,7 @@ ms.date: 03/12/2018 Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -152,7 +161,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -210,7 +219,7 @@ Valid values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -255,6 +264,80 @@ The following list shows the supported values:
                  + +**WindowsDefenderSecurityCenter/DisableClearTpmButton** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Disable the Clear TPM button in Windows Security. + +Enabled: +The Clear TPM button will be unavailable for use. + +Disabled: +The Clear TPM button will be available for use on supported systems. + +Not configured: +Same as Disabled. + +Supported values: + +- 0 - Disabled (default) +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Disable the Clear TPM button* +- GP name: *DeviceSecurity_DisableClearTpmButton* +- GP path: *Windows Components/Windows Security/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + + + + + + + + + + + +
                  + **WindowsDefenderSecurityCenter/DisableDeviceSecurityUI** @@ -270,7 +353,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -328,7 +411,7 @@ Valid values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -391,7 +474,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -451,7 +534,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -511,7 +594,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -571,7 +654,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -616,6 +699,80 @@ The following list shows the supported values:
                  + +**WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. + +Enabled: +Users will not be shown a recommendation to update their TPM Firmware. + +Disabled: +Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. + +Not configured: +Same as Disabled. + +Supported values: + +- 0 - Disabled (default) +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Hide the TPM Firmware Update recommendation.* +- GP name: *DeviceSecurity_DisableTpmFirmwareUpdateWarning* +- GP path: *Windows Components/Windows Security/Device security* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + + + + + + + + + + + +
                  + **WindowsDefenderSecurityCenter/DisableVirusUI** @@ -631,7 +788,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -691,7 +848,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -751,7 +908,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -805,7 +962,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -865,7 +1022,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -925,7 +1082,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -983,7 +1140,7 @@ Valid values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -1041,7 +1198,7 @@ Valid values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -1084,6 +1241,82 @@ Valid values:
                  + +**WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl** + + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  check mark5check mark5check mark5check mark5check mark5
                  + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
                  + + + +This policy setting hides the Windows Security notification area control. + +The user needs to either sign out and sign in or reboot the computer for this setting to take effect. + +Enabled: +Windows Security notification area control will be hidden. + +Disabled: +Windows Security notification area control will be shown. + +Not configured: +Same as Disabled. + +Supported values: + +- 0 - Disabled (default) +- 1 - Enabled + + + +ADMX Info: +- GP English name: *Hide Windows Security Systray* +- GP name: *Systray_HideSystray* +- GP path: *Windows Components/Windows Security/Systray* +- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + + + + + + + + + + + +
                  + **WindowsDefenderSecurityCenter/Phone** @@ -1099,7 +1332,7 @@ Valid values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1153,7 +1386,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1197,6 +1430,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 27f04f2813..200331150b 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 05/14/2018 --- # Policy CSP - WindowsInkWorkspace @@ -47,7 +47,7 @@ ms.date: 03/12/2018 cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -105,7 +105,7 @@ The following list shows the supported values: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 5029554ef7..07a7954820 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 07/12/2018 --- # Policy CSP - WindowsLogon @@ -143,6 +143,31 @@ If you enable this policy setting, the PC's network connectivity state cannot be If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. +Here is an example to enable this policy: + +``` syntax + + + + 300 + + 301 + + + ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI + + + chr + + ]]> + + + + + + +``` + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -242,7 +267,7 @@ ADMX Info: cross mark check mark2 - + check mark2 check mark2 check mark2 cross mark diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index dca0467136..9fc4dd7314 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -5,15 +5,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/16/2018 --- # Policy CSP - WindowsPowerShell -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
                  diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index cafb7be12e..96beff9c33 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -5,8 +5,8 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/12/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy CSP - WirelessDisplay @@ -265,7 +265,7 @@ The following list shows the supported values: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -363,6 +363,29 @@ The following list shows the supported values: **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** + + + + + + + + + + + + + + + + + + + + +
                  HomeProBusinessEnterpriseEducationMobileMobile Enterprise
                  cross markcheck mark2check mark2check mark2check mark2cross markcross mark
                  + + [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -404,7 +427,7 @@ The following list shows the supported values: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 89b18ee42a..d841e29aa4 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -6,13 +6,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/26/2018 +author: MariciaAlforque +ms.date: 08/09/2018 --- # Policy DDF file - +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML. @@ -25,7 +26,7 @@ You can download the DDF files from the links below: - [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) - [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) -The XML below is the DDF for Windows 10, version 1803. +The XML below is the DDF for Windows 10, next major version. ``` syntax @@ -51,7 +52,7 @@ The XML below is the DDF for Windows 10, version 1803. - com.microsoft/7.0/MDM/Policy + com.microsoft/8.0/MDM/Policy @@ -640,6 +641,34 @@ The XML below is the DDF for Windows 10, version 1803. + + AllowFullScreenMode + + + + + + + + With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + + + + + text/plain + + + AllowInPrivate @@ -673,7 +702,7 @@ The XML below is the DDF for Windows 10, version 1803. - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. @@ -740,6 +769,86 @@ If you disable this setting, the Microsoft Compatibility List will not be used d + + AllowPrelaunch + + + + + + + + Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + + + AllowPrinting + + + + + + + + With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + + + + + text/plain + + + + + AllowSavingHistory + + + + + + + + Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + + + + + text/plain + + + AllowSearchEngineCustomization @@ -793,6 +902,30 @@ This policy will only apply on domain joined machines or when the device is MDM + + AllowSideloadingOfExtensions + + + + + + + + This setting lets you decide whether employees can sideload extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + AllowSmartScreen @@ -817,6 +950,60 @@ This policy will only apply on domain joined machines or when the device is MDM + + AllowTabPreloading + + + + + + + + Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + + + AllowWebContentOnNewTabPage + + + + + + + + This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + + + + + text/plain + + + AlwaysEnableBooksLibrary @@ -878,7 +1065,7 @@ This policy will only apply on domain joined machines or when the device is MDM If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -895,6 +1082,203 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ConfigureFavoritesBar + + + + + + + + The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. + +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. + +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. + +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + + + + + + + + + + + text/plain + + + + + ConfigureHomeButton + + + + + + + + The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. + +By default, this policy is disabled or not configured and clicking the home button loads the default Start page. + +When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. + +If Enabled AND: +- Show home button & set to Start page is selected, clicking the home button loads the Start page. +- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. +- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. +- Hide home button is selected, the home button is hidden in Microsoft Edge. + +Default setting: Disabled or not configured +Related policies: +- Set Home Button URL +- Unlock Home Button + + + + + + + + + + + text/plain + + + + + ConfigureKioskMode + + + + + + + + Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. + +You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). + +If enabled and set to 0 (Default or not configured): +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. +If enabled and set to 1: +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + + + + + + + + + + + text/plain + + + + + ConfigureKioskResetAfterIdleTimeout + + + + + + + + You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. + +If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. + +If you set this policy to 0, Microsoft Edge does not use an idle timer. + +If disabled or not configured, the default value is 5 minutes. + +If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + + + + + + + + + + + text/plain + + + + + ConfigureOpenMicrosoftEdgeWith + + + + + + + + You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. + +If enabled, you can choose one of the following options: +- Start page: the Start page loads ignoring the Configure Start Pages policy. +- New tab page: the New tab page loads ignoring the Configure Start Pages policy. +- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. +- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. + +When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. + +If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. + +Default setting: A specific page or pages (default) +Related policies: +-Disable Lockdown of Start Pages +-Configure Start Pages + + + + + + + + + + + text/plain + + + + + ConfigureTelemetryForMicrosoft365Analytics + + + + + + + + Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + + + + + + + + + + + text/plain + + + DisableLockdownOfStartPages @@ -904,12 +1288,14 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. -Note: This policy has no effect when Browser/HomePages is not configured. +If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. -Important -This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Start Pages +- Configure Open Microsoft Edge With @@ -1029,12 +1415,24 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo - Configure the Start page URLs for your employees. -Example: -If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. -Encapsulate each string with greater than and less than characters like any other XML tag. + When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: + + <support.contoso.com><support.microsoft.com> + +If disabled or not configured, the webpages specified in App settings loads as the default Start pages. + +Version 1703 or later: +If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. + +Version 1809: +If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Open Microsoft Edge With +- Disable Lockdown of Start Pages @@ -1060,12 +1458,12 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, you ca This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -1089,7 +1487,35 @@ If you disable or don't configure this setting (default), employees can add, imp - Prevent access to the about:flags page in Microsoft Edge. + Prevent access to the about:flags page in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + PreventCertErrorOverrides + + + + + + + + Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. @@ -1165,7 +1591,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Don't allow Windows Defender SmartScreen warning overrides + Don't allow Windows Defender SmartScreen warning overrides @@ -1189,7 +1615,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Don't allow Windows Defender SmartScreen warning overrides for unverified files. + Don't allow Windows Defender SmartScreen warning overrides for unverified files. @@ -1205,7 +1631,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - PreventTabPreloading + PreventTurningOffRequiredExtensions @@ -1213,9 +1639,26 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - + @@ -1263,12 +1706,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -1337,6 +1780,66 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + SetHomeButtonURL + + + + + + + + The home button can be configured to load a custom URL when your user clicks the home button. + +If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. + +Default setting: Blank or not configured +Related policy: Configure Home Button + + + + + + + + + + + text/plain + + + + + SetNewTabPageURL + + + + + + + + You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. + +If enabled, you can set the default New Tab page URL. + +If disabled or not configured, the default Microsoft Edge new tab page is used. + +Default setting: Disabled or not configured +Related policy: Allow web content on New Tab page + + + + + + + + + + + text/plain + + + ShowMessageWhenOpeningSitesInInternetExplorer @@ -1346,7 +1849,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Show message when opening sites in Internet Explorer + You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 @@ -1385,6 +1897,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + UnlockHomeButton + + + + + + + + By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. + +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. + +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. + +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + + + + + + + + + + + text/plain + + + UseSharedFolderForBooks @@ -1578,7 +2123,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - This policy sets user's default printer + This policy sets user's default printer @@ -7882,7 +8427,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Enable/disable kiosk browser's end session button. + Enable/disable kiosk browser's end session button. @@ -7906,7 +8451,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Enable/disable kiosk browser's home button. + Enable/disable kiosk browser's home button. @@ -7930,7 +8475,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Enable/disable kiosk browser's navigation buttons (forward/back). + Enable/disable kiosk browser's navigation buttons (forward/back). @@ -8086,6 +8631,98 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + Privacy + + + + + + + + + + + + + + + + + + + + + DisablePrivacyExperience + + + + + + + + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + + + + Security + + + + + + + + + + + + + + + + + + + + + RecoveryEnvironmentAuthentication + + + + + + + + This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + + + + + + + + text/plain + + + + Settings @@ -8131,6 +8768,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + PageVisibilityList + + + + + + + + + + + + + + + + + + + text/plain + + + Start @@ -8177,6 +8838,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ForceStartSize + + + + + + + + + + + + + + + + + + + text/plain + + + + + HideAppList + + + + + + + + Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + + + HideFrequentlyUsedApps + + + + + + + + Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + HidePeopleBar @@ -8201,6 +8934,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + HideRecentJumplists + + + + + + + + Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + + + HideRecentlyAddedApps + + + + + + + + Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + StartLayout @@ -8949,6 +9730,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on HighestValueMostSecure + + AllowFullScreenMode + + + + + 1 + With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowFullScreenMode + LowestValueMostSecure + + AllowInPrivate @@ -8983,7 +9795,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. @@ -9062,6 +9874,97 @@ If you disable this setting, the Microsoft Compatibility List will not be used d LowestValueMostSecure + + AllowPrelaunch + + + + + 1 + Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowPrelaunch + LowestValueMostSecure + + + + AllowPrinting + + + + + 1 + With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowPrinting + LowestValueMostSecure + + + + AllowSavingHistory + + + + + 1 + Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowSavingHistory + LowestValueMostSecure + + AllowSearchEngineCustomization @@ -9121,6 +10024,34 @@ This policy will only apply on domain joined machines or when the device is MDM LowestValueMostSecure + + AllowSideloadingOfExtensions + + + + + 1 + This setting lets you decide whether employees can sideload extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowSideloadingOfExtensions + LowestValueMostSecure + + AllowSmartScreen @@ -9148,6 +10079,67 @@ This policy will only apply on domain joined machines or when the device is MDM LowestValueMostSecure + + AllowTabPreloading + + + + + 1 + Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowTabPreloading + LowestValueMostSecure + + + + AllowWebContentOnNewTabPage + + + + + 1 + This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowWebContentOnNewTabPage + LowestValueMostSecure + + AlwaysEnableBooksLibrary @@ -9214,7 +10206,7 @@ This policy will only apply on domain joined machines or when the device is MDM If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -9237,18 +10229,99 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - DisableLockdownOfStartPages + ConfigureFavoritesBar + + + + + + The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. + +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. + +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. + +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureFavoritesBar + LowestValueMostSecure + + + + ConfigureHomeButton 0 - Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. -Note: This policy has no effect when Browser/HomePages is not configured. +By default, this policy is disabled or not configured and clicking the home button loads the default Start page. -Important -This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). +When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. + +If Enabled AND: +- Show home button & set to Start page is selected, clicking the home button loads the Start page. +- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. +- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. +- Hide home button is selected, the home button is hidden in Microsoft Edge. + +Default setting: Disabled or not configured +Related policies: +- Set Home Button URL +- Unlock Home Button + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureHomeButtonDropdown + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureHomeButton + LastWrite + + + + ConfigureKioskMode + + + + + 0 + Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. + +You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). + +If enabled and set to 0 (Default or not configured): +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. +If enabled and set to 1: +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. @@ -9264,6 +10337,152 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo phone MicrosoftEdge.admx + ConfigureKioskMode_TextBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureKioskMode + LastWrite + + + + ConfigureKioskResetAfterIdleTimeout + + + + + 5 + You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. + +If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. + +If you set this policy to 0, Microsoft Edge does not use an idle timer. + +If disabled or not configured, the default value is 5 minutes. + +If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureKioskResetAfterIdleTimeout_TextBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureKioskResetAfterIdleTimeout + LastWrite + + + + ConfigureOpenMicrosoftEdgeWith + + + + + 3 + You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. + +If enabled, you can choose one of the following options: +- Start page: the Start page loads ignoring the Configure Start Pages policy. +- New tab page: the New tab page loads ignoring the Configure Start Pages policy. +- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. +- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. + +When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. + +If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. + +Default setting: A specific page or pages (default) +Related policies: +-Disable Lockdown of Start Pages +-Configure Start Pages + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureOpenEdgeWithListBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureOpenEdgeWith + LastWrite + + + + ConfigureTelemetryForMicrosoft365Analytics + + + + + 0 + Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + ZonesListBox + MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds + ConfigureTelemetryForMicrosoft365Analytics + LowestValueMostSecure + + + + DisableLockdownOfStartPages + + + + + 0 + You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. + +If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Start Pages +- Configure Open Microsoft Edge With + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + DisableLockdownOfStartPagesListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge DisableLockdownOfStartPages LowestValueMostSecure @@ -9379,12 +10598,24 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo - Configure the Start page URLs for your employees. -Example: -If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. -Encapsulate each string with greater than and less than characters like any other XML tag. + When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: + + <support.contoso.com><support.microsoft.com> + +If disabled or not configured, the webpages specified in App settings loads as the default Start pages. + +Version 1703 or later: +If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. + +Version 1809: +If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Open Microsoft Edge With +- Disable Lockdown of Start Pages @@ -9414,12 +10645,12 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, you ca 0 This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -9446,7 +10677,7 @@ If you disable or don't configure this setting (default), employees can add, imp 0 - Prevent access to the about:flags page in Microsoft Edge. + Prevent access to the about:flags page in Microsoft Edge. @@ -9466,6 +10697,37 @@ If you disable or don't configure this setting (default), employees can add, imp HighestValueMostSecure + + PreventCertErrorOverrides + + + + + 0 + Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + PreventCertErrorOverrides + HighestValueMostSecure + + PreventFirstRunPage @@ -9532,7 +10794,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Don't allow Windows Defender SmartScreen warning overrides + Don't allow Windows Defender SmartScreen warning overrides @@ -9559,7 +10821,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. + Don't allow Windows Defender SmartScreen warning overrides for unverified files. @@ -9580,15 +10842,32 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - PreventTabPreloading + PreventTurningOffRequiredExtensions - 0 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - + @@ -9599,12 +10878,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain - phone MicrosoftEdge.admx + PreventTurningOffRequiredExtensions_Prompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTabPreloading - HighestValueMostSecure + PreventTurningOffRequiredExtensions + LastWrite @@ -9643,12 +10922,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -9729,6 +11008,74 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + SetHomeButtonURL + + + + + + The home button can be configured to load a custom URL when your user clicks the home button. + +If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. + +Default setting: Blank or not configured +Related policy: Configure Home Button + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + SetHomeButtonURLPrompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + SetHomeButtonURL + LastWrite + + + + SetNewTabPageURL + + + + + + You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. + +If enabled, you can set the default New Tab page URL. + +If disabled or not configured, the default Microsoft Edge new tab page is used. + +Default setting: Disabled or not configured +Related policy: Allow web content on New Tab page + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + SetNewTabPageURLPrompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + SetNewTabPageURL + LastWrite + + ShowMessageWhenOpeningSitesInInternetExplorer @@ -9736,7 +11083,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Show message when opening sites in Internet Explorer + You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 @@ -9749,7 +11105,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain - + phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge @@ -9785,6 +11141,43 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + UnlockHomeButton + + + + + 0 + By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. + +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. + +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. + +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + UnlockHomeButton + LowestValueMostSecure + + UseSharedFolderForBooks @@ -9982,7 +11375,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - This policy sets user's default printer + This policy sets user's default printer @@ -17018,7 +18411,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Enable/disable kiosk browser's end session button. + Enable/disable kiosk browser's end session button. @@ -17043,7 +18436,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Enable/disable kiosk browser's home button. + Enable/disable kiosk browser's home button. @@ -17068,7 +18461,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Enable/disable kiosk browser's navigation buttons (forward/back). + Enable/disable kiosk browser's navigation buttons (forward/back). @@ -17233,6 +18626,99 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + Privacy + + + + + + + + + + + + + + + + + + + DisablePrivacyExperience + + + + + 0 + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + phone + OOBE.admx + OOBE~AT~WindowsComponents~OOBE + DisablePrivacyExperience + LowestValueMostSecure + + + + + Security + + + + + + + + + + + + + + + + + + + RecoveryEnvironmentAuthentication + + + + + 0 + This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + + + + + + + + text/plain + + + phone + LastWrite + + + Settings @@ -17279,6 +18765,33 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + PageVisibilityList + + + + + + + + + + + + + + + + + text/plain + + ControlPanel.admx + SettingsPageVisibilityBox + ControlPanel~AT~ControlPanel + SettingsPageVisibility + LastWrite + + Start @@ -17327,6 +18840,87 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + ForceStartSize + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + StartMenu.admx + StartMenu~AT~StartMenu + ForceStartSize + LastWrite + + + + HideAppList + + + + + 0 + Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + phone + LastWrite + + + + HideFrequentlyUsedApps + + + + + 0 + Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + phone + StartMenu.admx + StartMenu~AT~StartMenu + NoFrequentUsedPrograms + LowestValueMostSecure + + HidePeopleBar @@ -17355,6 +18949,62 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + HideRecentJumplists + + + + + 0 + Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + phone + StartMenu.admx + StartMenu~AT~StartMenu + NoRecentDocsHistory + LowestValueMostSecure + + + + HideRecentlyAddedApps + + + + + 0 + Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + phone + StartMenu.admx + StartMenu~AT~StartMenu + HideRecentlyAddedApps + LowestValueMostSecure + + StartLayout @@ -17497,7 +19147,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - com.microsoft/7.0/MDM/Policy + com.microsoft/8.0/MDM/Policy @@ -18177,6 +19827,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + LaunchAppAfterLogOn + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. + + + + + + + + + + + text/plain + + + MSIAllowUserControlOverInstall @@ -18297,6 +19971,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ScheduleForceRestartForUpdateFailures + + + + + + + + + + + + + + + + + + + text/plain + + + AppRuntime @@ -19131,6 +20829,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + EnableFastFirstSignIn + + + + + + + + Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts + + + + + + + + + + + text/plain + + + + + EnableWebSignIn + + + + + + + + Specifies whether web-based sign in is allowed for logging in to Windows + + + + + + + + + + + text/plain + + + + + PreferredAadTenantDomainName + + + + + + + + Specifies the preferred domain among available domains in the AAD tenant. + + + + + + + + + + + text/plain + + + Autoplay @@ -19272,6 +21042,172 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + BITS + + + + + + + + + + + + + + + + + + + + + BandwidthThrottlingEndTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + BandwidthThrottlingStartTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + BandwidthThrottlingTransferRate + + + + + + + + + + + + + + + + + + + text/plain + + + + + CostedNetworkBehaviorBackgroundPriority + + + + + + + + + + + + + + + + + + + text/plain + + + + + CostedNetworkBehaviorForegroundPriority + + + + + + + + + + + + + + + + + + + text/plain + + + + + JobInactivityTimeout + + + + + + + + + + + + + + + + + + + text/plain + + + + Bluetooth @@ -19699,6 +21635,34 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + AllowFullScreenMode + + + + + + + + With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + + + + + text/plain + + + AllowInPrivate @@ -19732,7 +21696,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. @@ -19799,6 +21763,86 @@ If you disable this setting, the Microsoft Compatibility List will not be used d + + AllowPrelaunch + + + + + + + + Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + + + AllowPrinting + + + + + + + + With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + + + + + text/plain + + + + + AllowSavingHistory + + + + + + + + Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + + + + + text/plain + + + AllowSearchEngineCustomization @@ -19852,6 +21896,30 @@ This policy will only apply on domain joined machines or when the device is MDM + + AllowSideloadingOfExtensions + + + + + + + + This setting lets you decide whether employees can sideload extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + AllowSmartScreen @@ -19876,6 +21944,60 @@ This policy will only apply on domain joined machines or when the device is MDM + + AllowTabPreloading + + + + + + + + Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + + + AllowWebContentOnNewTabPage + + + + + + + + This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + + + + + text/plain + + + AlwaysEnableBooksLibrary @@ -19937,7 +22059,7 @@ This policy will only apply on domain joined machines or when the device is MDM If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -19954,6 +22076,203 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ConfigureFavoritesBar + + + + + + + + The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. + +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. + +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. + +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + + + + + + + + + + + text/plain + + + + + ConfigureHomeButton + + + + + + + + The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. + +By default, this policy is disabled or not configured and clicking the home button loads the default Start page. + +When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. + +If Enabled AND: +- Show home button & set to Start page is selected, clicking the home button loads the Start page. +- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. +- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. +- Hide home button is selected, the home button is hidden in Microsoft Edge. + +Default setting: Disabled or not configured +Related policies: +- Set Home Button URL +- Unlock Home Button + + + + + + + + + + + text/plain + + + + + ConfigureKioskMode + + + + + + + + Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. + +You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). + +If enabled and set to 0 (Default or not configured): +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. +If enabled and set to 1: +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + + + + + + + + + + + text/plain + + + + + ConfigureKioskResetAfterIdleTimeout + + + + + + + + You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. + +If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. + +If you set this policy to 0, Microsoft Edge does not use an idle timer. + +If disabled or not configured, the default value is 5 minutes. + +If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + + + + + + + + + + + text/plain + + + + + ConfigureOpenMicrosoftEdgeWith + + + + + + + + You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. + +If enabled, you can choose one of the following options: +- Start page: the Start page loads ignoring the Configure Start Pages policy. +- New tab page: the New tab page loads ignoring the Configure Start Pages policy. +- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. +- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. + +When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. + +If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. + +Default setting: A specific page or pages (default) +Related policies: +-Disable Lockdown of Start Pages +-Configure Start Pages + + + + + + + + + + + text/plain + + + + + ConfigureTelemetryForMicrosoft365Analytics + + + + + + + + Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + + + + + + + + + + + text/plain + + + DisableLockdownOfStartPages @@ -19963,12 +22282,14 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. -Note: This policy has no effect when Browser/HomePages is not configured. +If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. -Important -This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Start Pages +- Configure Open Microsoft Edge With @@ -20088,12 +22409,24 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo - Configure the Start page URLs for your employees. -Example: -If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. -Encapsulate each string with greater than and less than characters like any other XML tag. + When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: + + <support.contoso.com><support.microsoft.com> + +If disabled or not configured, the webpages specified in App settings loads as the default Start pages. + +Version 1703 or later: +If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. + +Version 1809: +If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Open Microsoft Edge With +- Disable Lockdown of Start Pages @@ -20119,12 +22452,12 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, you ca This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -20148,7 +22481,35 @@ If you disable or don't configure this setting (default), employees can add, imp - Prevent access to the about:flags page in Microsoft Edge. + Prevent access to the about:flags page in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + PreventCertErrorOverrides + + + + + + + + Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. @@ -20224,7 +22585,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Don't allow Windows Defender SmartScreen warning overrides + Don't allow Windows Defender SmartScreen warning overrides @@ -20248,7 +22609,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Don't allow Windows Defender SmartScreen warning overrides for unverified files. + Don't allow Windows Defender SmartScreen warning overrides for unverified files. @@ -20264,7 +22625,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - PreventTabPreloading + PreventTurningOffRequiredExtensions @@ -20272,9 +22633,26 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - + @@ -20322,12 +22700,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -20396,6 +22774,66 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + SetHomeButtonURL + + + + + + + + The home button can be configured to load a custom URL when your user clicks the home button. + +If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. + +Default setting: Blank or not configured +Related policy: Configure Home Button + + + + + + + + + + + text/plain + + + + + SetNewTabPageURL + + + + + + + + You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. + +If enabled, you can set the default New Tab page URL. + +If disabled or not configured, the default Microsoft Edge new tab page is used. + +Default setting: Disabled or not configured +Related policy: Allow web content on New Tab page + + + + + + + + + + + text/plain + + + ShowMessageWhenOpeningSitesInInternetExplorer @@ -20405,7 +22843,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - Show message when opening sites in Internet Explorer + You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 @@ -20444,6 +22891,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + UnlockHomeButton + + + + + + + + By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. + +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. + +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. + +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + + + + + + + + + + + text/plain + + + UseSharedFolderForBooks @@ -21064,10 +23544,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC + If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. @@ -21908,6 +24389,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + CheckForSignaturesBeforeRunningScan + + + + + + + + + + + + + + + + + + + text/plain + + + CloudBlockLevel @@ -22028,6 +24533,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + DisableCatchupFullScan + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableCatchupQuickScan + + + + + + + + + + + + + + + + + + + text/plain + + + EnableControlledFolderAccess @@ -22052,6 +24605,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + EnableLowCPUPriority + + + + + + + + + + + + + + + + + + + text/plain + + + EnableNetworkProtection @@ -22292,6 +24869,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + SignatureUpdateFallbackOrder + + + + + + + + + + + + + + + + + + + text/plain + + + + + SignatureUpdateFileSharesSources + + + + + + + + + + + + + + + + + + + text/plain + + + SignatureUpdateInterval @@ -22434,6 +25059,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + DOCacheHost + + + + + + + + + + + + + + + + + + + text/plain + + + DODelayBackgroundDownloadFromHttp @@ -22984,6 +25633,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + EnableSystemGuard + + + + + + + + Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. + + + + + + + + + + + text/plain + + + EnableVirtualizationBasedSecurity @@ -23078,6 +25751,102 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + AllowInstallationOfMatchingDeviceIDs + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInstallationOfMatchingDeviceSetupClasses + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventDeviceMetadataFromNetwork + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + + + + + + + + + + + + + + + + + + + text/plain + + + PreventInstallationOfMatchingDeviceIDs @@ -23727,6 +26496,52 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + DmaGuard + + + + + + + + + + + + + + + + + + + + + DeviceEnumerationPolicy + + + + + + + + + + + + + + + + + + + text/plain + + + + ErrorReporting @@ -24008,6 +26823,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + AllowClipboardHistory + + + + + + + + Allows history of clipboard items to be stored in memory. + + + + + + + + + + + text/plain + + + AllowCopyPaste @@ -24368,6 +27207,58 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + DoNotSyncBrowserSettings + + + + + + + + You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. + Related policy: PreventUsersFromTurningOnBrowserSyncing + 0 (default) = allow syncing, 2 = disable syncing + + + + + + + + + + + text/plain + + + + + PreventUsersFromTurningOnBrowserSyncing + + + + + + + + You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. + Related policy: DoNotSyncBrowserSettings + 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing + + + + + + + + + + + text/plain + + + ExploitGuard @@ -30572,6 +33463,32 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + UPNNameHints + + + + + + + + Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. + + This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. + + + + + + + + + + + text/plain + + + KioskBrowser @@ -30675,7 +33592,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - Enable/disable kiosk browser's end session button. + Enable/disable kiosk browser's end session button. @@ -30699,7 +33616,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - Enable/disable kiosk browser's home button. + Enable/disable kiosk browser's home button. @@ -30723,7 +33640,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - Enable/disable kiosk browser's navigation buttons (forward/back). + Enable/disable kiosk browser's navigation buttons (forward/back). @@ -30911,9 +33828,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor This policy setting prevents users from adding new Microsoft accounts on this computer. -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. +If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. +If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -31002,7 +33919,7 @@ Note: If the Guest account is disabled and the security option Network Access: S Accounts: Limit local account use of blank passwords to console logon only -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. +This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. @@ -31069,7 +33986,7 @@ Default: Administrator. Accounts: Rename guest account -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. +This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. @@ -31210,118 +34127,6 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l - - DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways - - - - - - - - Domain member: Digitally encrypt or sign secure channel data (always) - -This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: - -Domain member: Digitally encrypt secure channel data (when possible) -Domain member: Digitally sign secure channel data (when possible) - -Default: Enabled. - -Notes: - -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. - - - - - - - - - - - text/plain - - - - - DomainMember_DigitallyEncryptSecureChannelDataWhenPossible - - - - - - - - Domain member: Digitally encrypt secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. - -Default: Enabled. - -Important - -There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. - -Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. - - - - - - - - - - - text/plain - - - - - DomainMember_DisableMachineAccountPasswordChanges - - - - - - - - Domain member: Disable machine account password changes - -Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. - -Default: Disabled. - -Notes - -This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. -This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. - - - - - - - - - - - text/plain - - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked @@ -31358,7 +34163,7 @@ Do not display user information (3) - Interactive logon: Don't display last signed-in + Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be shown. @@ -31388,7 +34193,7 @@ Default: Disabled. - Interactive logon: Don't display username at sign-in + Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username will not be shown. @@ -31422,7 +34227,7 @@ Default: Disabled. This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. @@ -31573,6 +34378,52 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol + + MicrosoftNetworkClient_DigitallySignCommunicationsAlways + + + + + + + + Microsoft network client: Digitally sign communications (always) + +This security setting determines whether packet signing is required by the SMB client component. + +The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. + +If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. + +Default: Disabled. + +Important + +For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). + +Notes + +All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. +For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. + + + + + + + + + + + text/plain + + + MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees @@ -31646,38 +34497,6 @@ Default: Disabled. - - MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession - - - - - - - - Microsoft network server: Amount of idle time required before suspending a session - -This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. - -Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. - -For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. - -Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. - - - - - - - - - - - text/plain - - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways @@ -31910,6 +34729,44 @@ This policy is supported on at least Windows Server 2016. + + NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM + + + + + + + + Network security: Allow Local System to use computer identity for NTLM + +This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + +If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. + +If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. + +By default, this policy is enabled on Windows 7 and above. + +By default, this policy is disabled on Windows Vista. + +This policy is supported on at least Windows Vista or Windows Server 2008. + +Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. + + + + + + + + + + + text/plain + + + NetworkSecurity_AllowPKU2UAuthenticationRequests @@ -32021,6 +34878,41 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send + + NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients + + + + + + + + Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + +This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: + +Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. +Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. + +Default: + +Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. + +Windows 7 and Windows Server 2008 R2: Require 128-bit encryption + + + + + + + + + + + text/plain + + + NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers @@ -32067,7 +34959,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. +This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. @@ -32101,15 +34993,15 @@ The naming format for servers on this exception list is the fully qualified doma This policy setting allows you to audit incoming NTLM traffic. -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. +If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. +If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. +If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -32137,15 +35029,15 @@ Note: Audit events are recorded on this computer in the "Operational" Log locate This policy setting allows you to deny or allow incoming NTLM traffic. -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. +If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. +If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. +If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -32173,15 +35065,15 @@ Note: Block events are recorded on this computer in the "Operational" Log locate This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. +If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. +If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. +If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -32274,9 +35166,9 @@ Default: Disabled. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. +• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. +• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. @@ -32308,15 +35200,15 @@ The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. @@ -32509,13 +35401,13 @@ The options are: User Account Control: Switch to the secure desktop when prompting for elevation -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. +This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. +• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. @@ -32787,7 +35679,7 @@ The options are: - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. + This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. @@ -33772,6 +36664,30 @@ The options are: + + AllowCrossDeviceClipboard + + + + + + + + Allows syncing of Clipboard across devices under the same Microsoft account. + + + + + + + + + + + text/plain + + + AllowInputPersonalization @@ -33820,6 +36736,30 @@ The options are: + + DisablePrivacyExperience + + + + + + + + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + EnableActivityFeed @@ -35365,7 +38305,7 @@ The options are: - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -35653,7 +38593,7 @@ The options are: - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -35677,7 +38617,7 @@ The options are: - Allows apps/system to publish 'User Activities' into ActivityFeed. + Allows apps/system to publish 'User Activities' into ActivityFeed. @@ -35701,7 +38641,7 @@ The options are: - Allows ActivityFeed to upload published 'User Activities'. + Allows ActivityFeed to upload published 'User Activities'. @@ -37237,6 +40177,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + RecoveryEnvironmentAuthentication + + + + + + + + This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + + + + + + + + text/plain + + + RequireDeviceEncryption @@ -38126,7 +41090,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. + Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. @@ -38174,7 +41138,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. + Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. @@ -38198,7 +41162,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. + Enabling this policy hides "Lock" from appearing in the user tile in the start menu. @@ -38294,7 +41258,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. + Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. @@ -38318,7 +41282,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. + Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. @@ -38342,7 +41306,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. + Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. @@ -38366,7 +41330,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. + Enabling this policy hides "Sleep" from appearing in the power button in the start menu. @@ -38390,7 +41354,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. + Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. @@ -38571,6 +41535,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + RemovableDiskDenyWriteAccess + + + + + + + + If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + + + + + + + + + + + text/plain + + + System @@ -38617,6 +41605,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + AllowDeviceNameInDiagnosticData + + + + + + + + This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + + + + + + + + + text/plain + + + AllowEmbeddedMode @@ -38809,6 +41821,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + ConfigureMicrosoft365UploadEndpoint + + + + + + + + + + + + + + + + + + + text/plain + + + ConfigureTelemetryOptInChangeNotification @@ -38857,6 +41893,54 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + DisableDeviceDelete + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableDiagnosticDataViewer + + + + + + + + + + + + + + + + + + + text/plain + + + DisableEnterpriseAuthProxy @@ -38962,7 +42046,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. + This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. @@ -39032,7 +42116,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39056,7 +42140,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39080,7 +42164,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39104,7 +42188,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39128,7 +42212,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -39152,7 +42236,53 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + + + + + text/plain + + + + + + TaskManager + + + + + + + + + + + + + + + + + + + + + AllowEndTask + + + + + + + + This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled @@ -40071,6 +43201,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + AutoRestartDeadlinePeriodInDaysForFeatureUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + AutoRestartNotificationSchedule @@ -40335,6 +43489,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + EngagedRestartDeadlineForFeatureUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + EngagedRestartSnoozeSchedule @@ -40359,6 +43537,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + EngagedRestartSnoozeScheduleForFeatureUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + EngagedRestartTransitionSchedule @@ -40383,6 +43585,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + EngagedRestartTransitionScheduleForFeatureUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + ExcludeWUDriversInQualityUpdate @@ -40935,6 +44161,54 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + SetDisablePauseUXAccess + + + + + + + + + + + + + + + + + + + text/plain + + + + + SetDisableUXWUAccess + + + + + + + + + + + + + + + + + + + text/plain + + + SetEDURestart @@ -40959,6 +44233,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + UpdateNotificationLevel + + + + + + + + + + + + + + + + + + + text/plain + + + UpdateServiceUrl @@ -41038,7 +44336,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. @@ -41182,7 +44480,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. + This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. @@ -41254,7 +44552,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. + This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. @@ -41446,7 +44744,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. + Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. @@ -42035,6 +45333,30 @@ Because of these factors, users do not usually need this user right. Warning: If + + DisableClearTpmButton + + + + + + + + + + + + + + + + + + + text/plain + + + DisableDeviceSecurityUI @@ -42179,6 +45501,30 @@ Because of these factors, users do not usually need this user right. Warning: If + + DisableTpmFirmwareUpdateWarning + + + + + + + + + + + + + + + + + + + text/plain + + + DisableVirusUI @@ -42371,6 +45717,30 @@ Because of these factors, users do not usually need this user right. Warning: If + + HideWindowsSecurityNotificationAreaControl + + + + + + + + + + + + + + + + + + + text/plain + + + Phone @@ -42809,7 +46179,7 @@ Because of these factors, users do not usually need this user right. Warning: If This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to + If you set it to 0, your PC isn't discoverable and can't be projected to If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. @@ -42835,7 +46205,7 @@ Because of these factors, users do not usually need this user right. Warning: If This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. + If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. @@ -42885,8 +46255,9 @@ Because of these factors, users do not usually need this user right. Warning: If This policy setting allows you to require a pin for pairing. - If you turn this on, the pairing ceremony for new devices will always require a PIN - If you turn it off or don't configure it, a pin isn't required for pairing. + If you set this to 0, a pin isn't required for pairing. + If you set this to 1, the pairing ceremony for new devices will always require a PIN. + If you set this to 2, all pairings will require PIN. @@ -43486,6 +46857,29 @@ Because of these factors, users do not usually need this user right. Warning: If LowestValueMostSecure + + LaunchAppAfterLogOn + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. + + + + + + + + + + + text/plain + + LastWrite + + MSIAllowUserControlOverInstall @@ -43623,6 +47017,62 @@ Because of these factors, users do not usually need this user right. Warning: If LowestValueMostSecure + + ScheduleForceRestartForUpdateFailures + + + + + + + + + + + + + + + + + text/plain + + LastWrite + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +]]> + + AppRuntime @@ -44542,6 +47992,79 @@ Because of these factors, users do not usually need this user right. Warning: If LowestValueMostSecure + + EnableFastFirstSignIn + + + + + 0 + Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts + + + + + + + + + + + text/plain + + + phone + LastWrite + + + + EnableWebSignIn + + + + + 0 + Specifies whether web-based sign in is allowed for logging in to Windows + + + + + + + + + + + text/plain + + + phone + LastWrite + + + + PreferredAadTenantDomainName + + + + + + Specifies the preferred domain among available domains in the AAD tenant. + + + + + + + + + + + text/plain + + LastWrite + + Autoplay @@ -44688,6 +48211,194 @@ Because of these factors, users do not usually need this user right. Warning: If + + BITS + + + + + + + + + + + + + + + + + + + BandwidthThrottlingEndTime + + + + + 17 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_BandwidthLimitSchedTo + Bits~AT~Network~BITS + BITS_MaxBandwidth + LastWrite + + + + BandwidthThrottlingStartTime + + + + + 8 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_BandwidthLimitSchedFrom + Bits~AT~Network~BITS + BITS_MaxBandwidth + LastWrite + + + + BandwidthThrottlingTransferRate + + + + + 1000 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_MaxTransferRateText + Bits~AT~Network~BITS + BITS_MaxBandwidth + LastWrite + + + + CostedNetworkBehaviorBackgroundPriority + + + + + 1 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_TransferPolicyNormalPriorityValue + Bits~AT~Network~BITS + BITS_SetTransferPolicyOnCostedNetwork + LastWrite + + + + CostedNetworkBehaviorForegroundPriority + + + + + 1 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_TransferPolicyForegroundPriorityValue + Bits~AT~Network~BITS + BITS_SetTransferPolicyOnCostedNetwork + LastWrite + + + + JobInactivityTimeout + + + + + 90 + + + + + + + + + + + + text/plain + + + Bits.admx + BITS_Job_Timeout_Time + Bits~AT~Network~BITS + BITS_Job_Timeout + LastWrite + + + Bluetooth @@ -45140,6 +48851,37 @@ Because of these factors, users do not usually need this user right. Warning: If HighestValueMostSecure + + AllowFullScreenMode + + + + + 1 + With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowFullScreenMode + LowestValueMostSecure + + AllowInPrivate @@ -45174,7 +48916,7 @@ Because of these factors, users do not usually need this user right. Warning: If 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. @@ -45253,6 +48995,97 @@ If you disable this setting, the Microsoft Compatibility List will not be used d LowestValueMostSecure + + AllowPrelaunch + + + + + 1 + Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowPrelaunch + LowestValueMostSecure + + + + AllowPrinting + + + + + 1 + With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowPrinting + LowestValueMostSecure + + + + AllowSavingHistory + + + + + 1 + Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowSavingHistory + LowestValueMostSecure + + AllowSearchEngineCustomization @@ -45312,6 +49145,34 @@ This policy will only apply on domain joined machines or when the device is MDM LowestValueMostSecure + + AllowSideloadingOfExtensions + + + + + 1 + This setting lets you decide whether employees can sideload extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowSideloadingOfExtensions + LowestValueMostSecure + + AllowSmartScreen @@ -45339,6 +49200,67 @@ This policy will only apply on domain joined machines or when the device is MDM LowestValueMostSecure + + AllowTabPreloading + + + + + 1 + Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowTabPreloading + LowestValueMostSecure + + + + AllowWebContentOnNewTabPage + + + + + 1 + This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + AllowWebContentOnNewTabPage + LowestValueMostSecure + + AlwaysEnableBooksLibrary @@ -45405,7 +49327,7 @@ This policy will only apply on domain joined machines or when the device is MDM If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -45428,18 +49350,99 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - DisableLockdownOfStartPages + ConfigureFavoritesBar + + + + + + The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. + +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. + +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. + +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureFavoritesBar + LowestValueMostSecure + + + + ConfigureHomeButton 0 - Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. -Note: This policy has no effect when Browser/HomePages is not configured. +By default, this policy is disabled or not configured and clicking the home button loads the default Start page. -Important -This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). +When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. + +If Enabled AND: +- Show home button & set to Start page is selected, clicking the home button loads the Start page. +- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. +- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. +- Hide home button is selected, the home button is hidden in Microsoft Edge. + +Default setting: Disabled or not configured +Related policies: +- Set Home Button URL +- Unlock Home Button + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureHomeButtonDropdown + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureHomeButton + LastWrite + + + + ConfigureKioskMode + + + + + 0 + Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. + +You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). + +If enabled and set to 0 (Default or not configured): +- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. +- If it’s one of many apps, Microsoft Edge runs as normal. +If enabled and set to 1: +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. +- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. @@ -45455,6 +49458,152 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo phone MicrosoftEdge.admx + ConfigureKioskMode_TextBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureKioskMode + LastWrite + + + + ConfigureKioskResetAfterIdleTimeout + + + + + 5 + You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. + +If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. + +If you set this policy to 0, Microsoft Edge does not use an idle timer. + +If disabled or not configured, the default value is 5 minutes. + +If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureKioskResetAfterIdleTimeout_TextBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureKioskResetAfterIdleTimeout + LastWrite + + + + ConfigureOpenMicrosoftEdgeWith + + + + + 3 + You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. + +If enabled, you can choose one of the following options: +- Start page: the Start page loads ignoring the Configure Start Pages policy. +- New tab page: the New tab page loads ignoring the Configure Start Pages policy. +- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. +- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. + +When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. + +If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. + +Default setting: A specific page or pages (default) +Related policies: +-Disable Lockdown of Start Pages +-Configure Start Pages + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + ConfigureOpenEdgeWithListBox + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + ConfigureOpenEdgeWith + LastWrite + + + + ConfigureTelemetryForMicrosoft365Analytics + + + + + 0 + Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + ZonesListBox + MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds + ConfigureTelemetryForMicrosoft365Analytics + LowestValueMostSecure + + + + DisableLockdownOfStartPages + + + + + 0 + You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. + +If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Start Pages +- Configure Open Microsoft Edge With + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + DisableLockdownOfStartPagesListBox MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge DisableLockdownOfStartPages LowestValueMostSecure @@ -45570,12 +49719,24 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo - Configure the Start page URLs for your employees. -Example: -If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. -Encapsulate each string with greater than and less than characters like any other XML tag. + When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. -Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. +If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: + + <support.contoso.com><support.microsoft.com> + +If disabled or not configured, the webpages specified in App settings loads as the default Start pages. + +Version 1703 or later: +If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. + +Version 1809: +If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. + +Supported devices: Domain-joined or MDM-enrolled +Related policy: +- Configure Open Microsoft Edge With +- Disable Lockdown of Start Pages @@ -45605,12 +49766,12 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, you ca 0 This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -45637,7 +49798,7 @@ If you disable or don't configure this setting (default), employees can add, imp 0 - Prevent access to the about:flags page in Microsoft Edge. + Prevent access to the about:flags page in Microsoft Edge. @@ -45657,6 +49818,37 @@ If you disable or don't configure this setting (default), employees can add, imp HighestValueMostSecure + + PreventCertErrorOverrides + + + + + 0 + Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. + + + + + + + + + + + text/plain + + + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + PreventCertErrorOverrides + HighestValueMostSecure + + PreventFirstRunPage @@ -45723,7 +49915,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Don't allow Windows Defender SmartScreen warning overrides + Don't allow Windows Defender SmartScreen warning overrides @@ -45750,7 +49942,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. + Don't allow Windows Defender SmartScreen warning overrides for unverified files. @@ -45771,15 +49963,32 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on - PreventTabPreloading + PreventTurningOffRequiredExtensions - 0 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - + @@ -45790,12 +49999,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain - phone MicrosoftEdge.admx + PreventTurningOffRequiredExtensions_Prompt MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTabPreloading - HighestValueMostSecure + PreventTurningOffRequiredExtensions + LastWrite @@ -45834,12 +50043,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. +If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. +If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -45920,6 +50129,74 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + SetHomeButtonURL + + + + + + The home button can be configured to load a custom URL when your user clicks the home button. + +If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. + +Default setting: Blank or not configured +Related policy: Configure Home Button + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + SetHomeButtonURLPrompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + SetHomeButtonURL + LastWrite + + + + SetNewTabPageURL + + + + + + You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. + +If enabled, you can set the default New Tab page URL. + +If disabled or not configured, the default Microsoft Edge new tab page is used. + +Default setting: Disabled or not configured +Related policy: Allow web content on New Tab page + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + SetNewTabPageURLPrompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + SetNewTabPageURL + LastWrite + + ShowMessageWhenOpeningSitesInInternetExplorer @@ -45927,7 +50204,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - Show message when opening sites in Internet Explorer + You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 @@ -45940,7 +50226,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain - + phone MicrosoftEdge.admx MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge @@ -45976,6 +50262,43 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + UnlockHomeButton + + + + + 0 + By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. + +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. + +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. + +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + + + + + + + + + + + text/plain + + + phone + MicrosoftEdge.admx + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + UnlockHomeButton + LowestValueMostSecure + + UseSharedFolderForBooks @@ -46641,7 +50964,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on 0 - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC + If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. @@ -46654,7 +50977,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on text/plain - + LastWrite @@ -47549,6 +51872,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + CheckForSignaturesBeforeRunningScan + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefender.admx + CheckForSignaturesBeforeRunningScan + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan + CheckForSignaturesBeforeRunningScan + HighestValueMostSecure + + CloudBlockLevel @@ -47692,6 +52044,64 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + DisableCatchupFullScan + + + + + 1 + + + + + + + + + + + + text/plain + + + phone + WindowsDefender.admx + Scan_DisableCatchupFullScan + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan + Scan_DisableCatchupFullScan + LastWrite + + + + DisableCatchupQuickScan + + + + + 1 + + + + + + + + + + + + text/plain + + + phone + WindowsDefender.admx + Scan_DisableCatchupQuickScan + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan + Scan_DisableCatchupQuickScan + LastWrite + + EnableControlledFolderAccess @@ -47721,6 +52131,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + EnableLowCPUPriority + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefender.admx + Scan_LowCpuPriority + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan + Scan_LowCpuPriority + LastWrite + + EnableNetworkProtection @@ -47856,6 +52295,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on phone + WindowsDefender.admx + Root_PUAProtection + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender + Root_PUAProtection LastWrite @@ -48004,6 +52447,62 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LastWrite + + SignatureUpdateFallbackOrder + + + + + + + + + + + + + + + + + text/plain + + phone + WindowsDefender.admx + SignatureUpdate_FallbackOrder + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate + SignatureUpdate_FallbackOrder + LastWrite + + + + SignatureUpdateFileSharesSources + + + + + + + + + + + + + + + + + text/plain + + phone + WindowsDefender.admx + SignatureUpdate_DefinitionUpdateFileSharesSources + WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate + SignatureUpdate_DefinitionUpdateFileSharesSources + LastWrite + + SignatureUpdateInterval @@ -48166,6 +52665,33 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on LowestValueMostSecure + + DOCacheHost + + + + + + + + + + + + + + + + + text/plain + + DeliveryOptimization.admx + CacheHost + DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat + CacheHost + LastWrite + + DODelayBackgroundDownloadFromHttp @@ -48662,6 +53188,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on phone + DeliveryOptimization.admx + PercentageMaxDownloadBandwidth + DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat + PercentageMaxDownloadBandwidth LastWrite @@ -48865,6 +53395,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + ConfigureSystemGuardLaunch + + + + + 0 + Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. + + + + + + + + + + + text/plain + + + phone + DeviceGuard.admx + SystemGuardDrop + DeviceGuard~AT~System~DeviceGuardCategory + VirtualizationBasedSecurity + LowestValueMostSecureZeroHasNoLimits + + EnableVirtualizationBasedSecurity @@ -48971,6 +53530,114 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + AllowInstallationOfMatchingDeviceIDs + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_IDs_Allow + LastWrite + + + + AllowInstallationOfMatchingDeviceSetupClasses + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_Classes_Allow + LastWrite + + + + PreventDeviceMetadataFromNetwork + + + + + + + + + + + + + + + + + text/plain + + phone + DeviceSetup.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceMetadata_PreventDeviceMetadataFromNetwork + LastWrite + + + + PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_Unspecified_Deny + LastWrite + + PreventInstallationOfMatchingDeviceIDs @@ -49653,6 +54320,53 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + DmaGuard + + + + + + + + + + + + + + + + + + + DeviceEnumerationPolicy + + + + + 1 + + + + + + + + + + + + text/plain + + + dmaguard.admx + dmaguard~AT~System~DmaGuard + DmaGuardEnumerationPolicy + LowestValueMostSecure + + + ErrorReporting @@ -49955,6 +54669,33 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + AllowClipboardHistory + + + + + 1 + Allows history of clipboard items to be stored in memory. + + + + + + + + + + + text/plain + + + OSPolicy.admx + OSPolicy~AT~System~PolicyPolicies + AllowClipboardHistory + LowestValueMostSecure + + AllowCopyPaste @@ -50258,7 +54999,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - 0 + 1 @@ -50335,6 +55076,65 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor HighestValueMostSecure + + DoNotSyncBrowserSettings + + + + + 0 + You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. + Related policy: PreventUsersFromTurningOnBrowserSyncing + 0 (default) = allow syncing, 2 = disable syncing + + + + + + + + + + + text/plain + + + SettingSync.admx + SettingSync~AT~WindowsComponents~SettingSync + DisableWebBrowserSettingSync + HighestValueMostSecure + + + + PreventUsersFromTurningOnBrowserSyncing + + + + + 1 + You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. + Related policy: DoNotSyncBrowserSettings + 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing + + + + + + + + + + + text/plain + + + SettingSync.admx + CheckBox_UserOverride + SettingSync~AT~WindowsComponents~SettingSync + DisableWebBrowserSettingSync + HighestValueMostSecure + + ExploitGuard @@ -57284,6 +62084,32 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor LastWrite + + UPNNameHints + + + + + + Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. + + This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. + + + + + + + + + + + text/plain + + phone + LastWrite + + KioskBrowser @@ -57383,7 +62209,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 0 - Enable/disable kiosk browser's end session button. + Enable/disable kiosk browser's end session button. @@ -57408,7 +62234,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 0 - Enable/disable kiosk browser's home button. + Enable/disable kiosk browser's home button. @@ -57433,7 +62259,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 0 - Enable/disable kiosk browser's navigation buttons (forward/back). + Enable/disable kiosk browser's navigation buttons (forward/back). @@ -57628,9 +62454,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 0 This policy setting prevents users from adding new Microsoft accounts on this computer. -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. +If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. +If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -57728,7 +62554,7 @@ Note: If the Guest account is disabled and the security option Network Access: S 1 Accounts: Limit local account use of blank passwords to console logon only -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. +This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. @@ -57800,7 +62626,7 @@ Default: Administrator. Guest Accounts: Rename guest account -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. +This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. @@ -57955,127 +62781,6 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l LastWrite - - DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways - - - - - 1 - Domain member: Digitally encrypt or sign secure channel data (always) - -This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: - -Domain member: Digitally encrypt secure channel data (when possible) -Domain member: Digitally sign secure channel data (when possible) - -Default: Enabled. - -Notes: - -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Domain member: Digitally encrypt or sign secure channel data (always) - LastWrite - - - - DomainMember_DigitallyEncryptSecureChannelDataWhenPossible - - - - - 1 - Domain member: Digitally encrypt secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. - -Default: Enabled. - -Important - -There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. - -Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Domain member: Digitally encrypt secure channel data (when possible) - LastWrite - - - - DomainMember_DisableMachineAccountPasswordChanges - - - - - 0 - Domain member: Disable machine account password changes - -Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. - -Default: Disabled. - -Notes - -This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. -This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Domain member: Disable machine account password changes - LastWrite - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked @@ -58113,7 +62818,7 @@ Do not display user information (3) 0 - Interactive logon: Don't display last signed-in + Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be shown. @@ -58146,7 +62851,7 @@ Default: Disabled. 1 - Interactive logon: Don't display username at sign-in + Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username will not be shown. @@ -58183,7 +62888,7 @@ Default: Disabled. This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. @@ -58349,6 +63054,55 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol LastWrite + + MicrosoftNetworkClient_DigitallySignCommunicationsAlways + + + + + 0 + Microsoft network client: Digitally sign communications (always) + +This security setting determines whether packet signing is required by the SMB client component. + +The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. + +If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. + +Default: Disabled. + +Important + +For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). + +Notes + +All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. +For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Microsoft network client: Digitally sign communications (always) + LastWrite + + MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees @@ -58428,41 +63182,6 @@ Default: Disabled. LastWrite - - MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession - - - - - 15 - Microsoft network server: Amount of idle time required before suspending a session - -This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. - -Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. - -For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. - -Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network server: Amount of idle time required before suspending session - LowestValueMostSecure - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways @@ -58712,6 +63431,47 @@ This policy is supported on at least Windows Server 2016. LastWrite + + NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM + + + + + 1 + Network security: Allow Local System to use computer identity for NTLM + +This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. + +If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. + +If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. + +By default, this policy is enabled on Windows 7 and above. + +By default, this policy is disabled on Windows Vista. + +This policy is supported on at least Windows Vista or Windows Server 2008. + +Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Network security: Allow Local System to use computer identity for NTLM + LastWrite + + NetworkSecurity_AllowPKU2UAuthenticationRequests @@ -58785,7 +63545,7 @@ This setting can affect the ability of computers running Windows 2000 Server, Wi - 0 + 3 Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: @@ -58832,13 +63592,51 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send HighestValueMostSecure + + NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients + + + + + 536870912 + Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + +This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: + +Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. +Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. + +Default: + +Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. + +Windows 7 and Windows Server 2008 R2: Require 128-bit encryption + + + + + + + + + + + text/plain + + + phone + Windows Settings~Security Settings~Local Policies~Security Options + Network security: Minimum session security for NTLM SSP based (including secure RPC) clients + HighestValueMostSecure + + NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers - 0 + 536870912 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: @@ -58879,7 +63677,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. +This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. @@ -58915,15 +63713,15 @@ The naming format for servers on this exception list is the fully qualified doma This policy setting allows you to audit incoming NTLM traffic. -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. +If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. +If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. +If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -58954,15 +63752,15 @@ Note: Audit events are recorded on this computer in the "Operational" Log locate This policy setting allows you to deny or allow incoming NTLM traffic. -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. +If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. +If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. +If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -58993,15 +63791,15 @@ Note: Block events are recorded on this computer in the "Operational" Log locate This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. +If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. +If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. +If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -59103,9 +63901,9 @@ Default: Disabled. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. +• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. +• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. @@ -59140,15 +63938,15 @@ The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. +• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. @@ -59359,13 +64157,13 @@ The options are: 1 User Account Control: Switch to the secure desktop when prompting for elevation -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. +This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. +• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. @@ -59648,7 +64446,7 @@ The options are: 1 - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. + This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. @@ -60715,6 +65513,33 @@ The options are: LowestValueMostSecure + + AllowCrossDeviceClipboard + + + + + 1 + Allows syncing of Clipboard across devices under the same Microsoft account. + + + + + + + + + + + text/plain + + + OSPolicy.admx + OSPolicy~AT~System~PolicyPolicies + AllowCrossDeviceClipboard + LowestValueMostSecure + + AllowInputPersonalization @@ -60770,6 +65595,34 @@ The options are: LowestValueMostSecureZeroHasNoLimits + + DisablePrivacyExperience + + + + + 0 + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + phone + OOBE.admx + OOBE~AT~WindowsComponents~OOBE + DisablePrivacyExperience + LowestValueMostSecure + + EnableActivityFeed @@ -62552,7 +67405,7 @@ The options are: - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. @@ -62888,7 +67741,7 @@ The options are: - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. @@ -62916,7 +67769,7 @@ The options are: 1 - Allows apps/system to publish 'User Activities' into ActivityFeed. + Allows apps/system to publish 'User Activities' into ActivityFeed. @@ -62943,7 +67796,7 @@ The options are: 1 - Allows ActivityFeed to upload published 'User Activities'. + Allows ActivityFeed to upload published 'User Activities'. @@ -64024,6 +68877,39 @@ Caution: If a Restricted Groups policy is applied, any current member not on the phone LastWrite + + + + + + + + + + + + Restricted Group Member + + + + + + + + + + + + + + + Restricted Group + + + + + + ]]> @@ -64613,6 +69499,31 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + RecoveryEnvironmentAuthentication + + + + + 0 + This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + + + + + + + + text/plain + + + phone + LastWrite + + RequireDeviceEncryption @@ -65070,12 +69981,12 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + phone SmartScreen.admx SmartScreen~AT~WindowsComponents~SmartScreen~Shell ConfigureAppInstallControl - HighestValueMostSecure + LastWrite @@ -65502,6 +70413,9 @@ Caution: If a Restricted Groups policy is applied, any current member not on the phone + StartMenu.admx + StartMenu~AT~StartMenu + ForceStartSize LastWrite @@ -65537,7 +70451,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. + Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. @@ -65576,6 +70490,9 @@ Caution: If a Restricted Groups policy is applied, any current member not on the phone + StartMenu.admx + StartMenu~AT~StartMenu + NoFrequentUsedPrograms LowestValueMostSecure @@ -65586,7 +70503,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. + Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. @@ -65610,7 +70527,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. + Enabling this policy hides "Lock" from appearing in the user tile in the start menu. @@ -65673,6 +70590,9 @@ Caution: If a Restricted Groups policy is applied, any current member not on the phone + StartMenu.admx + StartMenu~AT~StartMenu + NoRecentDocsHistory LowestValueMostSecure @@ -65711,7 +70631,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. + Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. @@ -65735,7 +70655,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. + Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. @@ -65759,7 +70679,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. + Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. @@ -65783,7 +70703,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. + Enabling this policy hides "Sleep" from appearing in the power button in the start menu. @@ -65807,7 +70727,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. + Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. @@ -65999,6 +70919,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + RemovableDiskDenyWriteAccess + + + + + 0 + If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + + + + + + + + + + + text/plain + + + RemovableStorage.admx + RemovableDisks_DenyWrite_Access_2 + RemovableStorage~AT~System~DeviceAccess + RemovableDisks_DenyWrite_Access_2 + HighestValueMostSecure + + System @@ -66046,6 +70994,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LowestValueMostSecure + + AllowDeviceNameInDiagnosticData + + + + + 0 + This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + + + + + + + + + text/plain + + + DataCollection.admx + AllowDeviceNameInDiagnosticData + DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds + AllowDeviceNameInDiagnosticData + LowestValueMostSecure + + AllowEmbeddedMode @@ -66251,6 +71227,33 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + ConfigureMicrosoft365UploadEndpoint + + + + + + + + + + + + + + + + + text/plain + + DataCollection.admx + ConfigureMicrosoft365UploadEndpoint + DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds + ConfigureMicrosoft365UploadEndpoint + LastWrite + + ConfigureTelemetryOptInChangeNotification @@ -66307,6 +71310,62 @@ Caution: If a Restricted Groups policy is applied, any current member not on the HighestValueMostSecure + + DisableDeviceDelete + + + + + 0 + + + + + + + + + + + + text/plain + + + DataCollection.admx + DisableDeviceDelete + DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds + DisableDeviceDelete + HighestValueMostSecure + + + + DisableDiagnosticDataViewer + + + + + 0 + + + + + + + + + + + + text/plain + + + DataCollection.admx + DisableDiagnosticDataViewer + DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds + DisableDiagnosticDataViewer + HighestValueMostSecure + + DisableEnterpriseAuthProxy @@ -66420,7 +71479,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the 0 - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. + This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. @@ -66494,8 +71553,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66521,8 +71580,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66548,8 +71607,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66575,8 +71634,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66602,8 +71661,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66629,8 +71688,8 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 0 - This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual. + 3 + This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. @@ -66651,6 +71710,50 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + TaskManager + + + + + + + + + + + + + + + + + + + AllowEndTask + + + + + 1 + This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled + + + + + + + + + + + text/plain + + + HighestValueMostSecure + + + TaskScheduler @@ -67438,7 +72541,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - 2 + 6 @@ -67452,7 +72555,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + WindowsUpdate.admx AutoUpdateMode WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat @@ -67595,6 +72698,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + AutoRestartDeadlinePeriodInDaysForFeatureUpdates + + + + + 7 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + AutoRestartDeadlineForFeatureUpdates + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + AutoRestartDeadline + LastWrite + + AutoRestartNotificationSchedule @@ -67898,6 +73029,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + EngagedRestartDeadlineForFeatureUpdates + + + + + 14 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + EngagedRestartDeadlineForFeatureUpdates + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + EngagedRestartTransitionSchedule + LastWrite + + EngagedRestartSnoozeSchedule @@ -67926,6 +73085,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + EngagedRestartSnoozeScheduleForFeatureUpdates + + + + + 3 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + EngagedRestartSnoozeScheduleForFeatureUpdates + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + EngagedRestartTransitionSchedule + LastWrite + + EngagedRestartTransitionSchedule @@ -67946,7 +73133,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + WindowsUpdate.admx EngagedRestartTransitionSchedule WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat @@ -67954,6 +73141,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + EngagedRestartTransitionScheduleForFeatureUpdates + + + + + 7 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + EngagedRestartTransitionScheduleForFeatureUpdates + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + EngagedRestartTransitionSchedule + LastWrite + + ExcludeWUDriversInQualityUpdate @@ -68579,6 +73794,60 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + SetDisablePauseUXAccess + + + + + 0 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + SetDisablePauseUXAccess + LastWrite + + + + SetDisableUXWUAccess + + + + + 0 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + SetDisableUXWUAccess + LastWrite + + SetEDURestart @@ -68606,6 +73875,33 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LastWrite + + UpdateNotificationLevel + + + + + 0 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + UpdateNotificationLevel + LastWrite + + UpdateServiceUrl @@ -68688,7 +73984,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. @@ -68850,7 +74146,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. + This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. @@ -68931,7 +74227,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. + This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. @@ -69147,7 +74443,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. + Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. @@ -69789,6 +75085,34 @@ Because of these factors, users do not usually need this user right. Warning: If LastWrite + + DisableClearTpmButton + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefenderSecurityCenter.admx + WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity + DeviceSecurity_DisableClearTpmButton + LastWrite + + DisableDeviceSecurityUI @@ -69957,6 +75281,34 @@ Because of these factors, users do not usually need this user right. Warning: If LastWrite + + DisableTpmFirmwareUpdateWarning + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefenderSecurityCenter.admx + WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity + DeviceSecurity_DisableTpmFirmwareUpdateWarning + LastWrite + + DisableVirusUI @@ -70181,6 +75533,34 @@ Because of these factors, users do not usually need this user right. Warning: If LastWrite + + HideWindowsSecurityNotificationAreaControl + + + + + 0 + + + + + + + + + + + + text/plain + + + phone + WindowsDefenderSecurityCenter.admx + WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Systray + Systray_HideSystray + LastWrite + + Phone @@ -70644,7 +76024,7 @@ Because of these factors, users do not usually need this user right. Warning: If 1 This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to + If you set it to 0, your PC isn't discoverable and can't be projected to If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. @@ -70674,7 +76054,7 @@ Because of these factors, users do not usually need this user right. Warning: If 1 This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. + If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. @@ -70724,8 +76104,9 @@ Because of these factors, users do not usually need this user right. Warning: If 0 This policy setting allows you to require a pin for pairing. - If you turn this on, the pairing ceremony for new devices will always require a PIN - If you turn it off or don't configure it, a pin isn't required for pairing. + If you set this to 0, a pin isn't required for pairing. + If you set this to 1, the pairing ceremony for new devices will always require a PIN. + If you set this to 2, all pairings will require PIN. @@ -70738,11 +76119,11 @@ Because of these factors, users do not usually need this user right. Warning: If text/plain - + WirelessDisplay.admx WirelessDisplay~AT~WindowsComponents~Connect RequirePinForPairing - LowestValueMostSecure + LastWrite diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md index a888021e38..366179d7ac 100644 --- a/windows/client-management/mdm/policymanager-csp.md +++ b/windows/client-management/mdm/policymanager-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/28/2017 --- diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index f2b9958913..88ff7aac70 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- @@ -40,7 +40,7 @@ The full URL for the discovery service. **Provisioning/Enrollments/*UPN*/Secret** This information is dependent on the AuthPolicy being used. Possible values: -- Password string for on-premise authentication enrollment +- Password string for on-premises authentication enrollment - Federated security token for federated enrollment - Certificate thumb print for certificated based enrollment diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md index 0df779416e..31a3e8994f 100644 --- a/windows/client-management/mdm/proxy-csp.md +++ b/windows/client-management/mdm/proxy-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index bfdd850a97..40aae74dbe 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/22/2017 --- diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index a633f4a681..8a137d239f 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index dba00c6cd5..bfb5dfd307 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- @@ -41,7 +41,7 @@ The following diagram shows the Reboot configuration service provider management

                  The supported operations are Get, Add, Replace, and Delete.

                  **Schedule/DailyRecurrent** -

                  This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z

                  +

                  This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.

                  The supported operations are Get, Add, Replace, and Delete.

                  diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 2ba444f6f8..36baf398e0 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index 0f3aeb0558..e3351b8c80 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index 6aef81069b..dd6f9467a1 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md index 66f0960d0a..fecf3f5a44 100644 --- a/windows/client-management/mdm/registry-csp.md +++ b/windows/client-management/mdm/registry-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/registry-ddf-file.md b/windows/client-management/mdm/registry-ddf-file.md index 77241d46ff..7477a7c981 100644 --- a/windows/client-management/mdm/registry-ddf-file.md +++ b/windows/client-management/mdm/registry-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index caec581c7d..d84582b492 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md index 19cf44771f..814fadbb25 100644 --- a/windows/client-management/mdm/remotefind-ddf-file.md +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index 1daf39aa19..0511301b25 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotelock-ddf-file.md b/windows/client-management/mdm/remotelock-ddf-file.md index e41eeb9e38..99fa47713c 100644 --- a/windows/client-management/mdm/remotelock-ddf-file.md +++ b/windows/client-management/mdm/remotelock-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md index 206e334ae8..0d72fa4640 100644 --- a/windows/client-management/mdm/remotering-csp.md +++ b/windows/client-management/mdm/remotering-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/remotering-ddf-file.md b/windows/client-management/mdm/remotering-ddf-file.md index 50d9bb92bb..01fe0aa96f 100644 --- a/windows/client-management/mdm/remotering-ddf-file.md +++ b/windows/client-management/mdm/remotering-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index fc9618891f..366bb79824 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/23/2018 --- diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index a9ec625e99..0f0de9b725 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/23/2018 --- diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index 8833a9d134..924654540b 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md index 616c065bdc..6387fc0b59 100644 --- a/windows/client-management/mdm/reporting-ddf-file.md +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md index 465bbd98f8..aae4546ae8 100644 --- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 09/18/2017 --- diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index b7fa5a8362..4f6ec839e8 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -6,14 +6,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/06/2018 --- # RootCATrustedCertificates CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates. diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index 03c352d150..587008f3f5 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -6,14 +6,12 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/07/2018 --- # RootCATrustedCertificates DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML. diff --git a/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md b/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md index a1d1af99a2..63260885d9 100644 --- a/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md +++ b/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 4357c5f176..a8ba842ba7 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index 598bdf0a98..a17b7547dd 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 60851d4e87..20ef07773e 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md index 746e0a2ecc..cbbeeaeccb 100644 --- a/windows/client-management/mdm/server-requirements-windows-mdm.md +++ b/windows/client-management/mdm/server-requirements-windows-mdm.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index e55c31bcf5..ef19b3d790 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index bfa9d3d806..b17d1adabd 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md index 7f0638060a..26207420d9 100644 --- a/windows/client-management/mdm/storage-csp.md +++ b/windows/client-management/mdm/storage-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index fe440045c3..46d64527ac 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md index 66e387b2ee..dd67204515 100644 --- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 0265da462a..3733920512 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -6,12 +6,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 06/26/2017 +author: MariciaAlforque +ms.date: 07/20/2018 --- # SUPL CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The SUPL configuration service provider is used to configure the location client, as shown in the following table. @@ -220,18 +222,51 @@ Specifies the name of the H-SLP root certificate as a string, in the format *nam **RootCertificate/Data** The base 64 encoded blob of the H-SLP root certificate. +**RootCertificate2** +Specifies the root certificate for the H-SLP server. + **RootCertificate2/Name** Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. **RootCertificate2/Data** The base 64 encoded blob of the H-SLP root certificate. +**RootCertificate3** +Specifies the root certificate for the H-SLP server. + **RootCertificate3/Name** Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. **RootCertificate3/Data** The base 64 encoded blob of the H-SLP root certificate. +**RootCertificate4** +Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server. + +**RootCertificate4/Name** +Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate4/Data** +Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate. + +**RootCertificate5** +Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server. + +**RootCertificate5/Name** +Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate5/Data** +Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate. + +**RootCertificate6** +Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server. + +**RootCertificate6/Name** +Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate6/Data** +Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate. + **V2UPL1** Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 927923512b..ec126158b6 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -6,18 +6,20 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 12/05/2017 +author: MariciaAlforque +ms.date: 07/20/2018 --- # SUPL DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **SUPL** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -43,7 +45,7 @@ The XML below is the current version for this CSP. - + com.microsoft/1.1/MDM/SUPL @@ -171,7 +173,7 @@ The XML below is the current version for this CSP. - MCCMNPairs + MCCMNCPairs @@ -200,7 +202,7 @@ The XML below is the current version for this CSP. 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. @@ -479,6 +481,201 @@ The XML below is the current version for this CSP. + + RootCertificate4 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + RootCertificate5 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + RootCertificate6 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + @@ -554,7 +751,7 @@ The XML below is the current version for this CSP. 0 - Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator's network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. @@ -663,13 +860,3 @@ The XML below is the current version for this CSP. ``` - -  - -  - - - - - - diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 3654fa873f..f6ec67db21 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 07/28/2017 --- diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index d465098263..c3b580b0e5 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 5fa0f29fa7..2a39e0fa82 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md index 21c7534a21..e4f359684a 100644 --- a/windows/client-management/mdm/tpmpolicy-ddf-file.md +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index d2a2fc6fef..ef549e1753 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -5,16 +5,13 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 02/01/2018 --- # UEFI CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1803. The following diagram shows the UEFI CSP in tree format. diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md index 5f8e6403eb..de67ae71b4 100644 --- a/windows/client-management/mdm/uefi-ddf.md +++ b/windows/client-management/mdm/uefi-ddf.md @@ -5,17 +5,13 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 02/01/2018 --- # UEFI DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - This topic shows the OMA DM device description framework (DDF) for the **Uefi** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 16f22e3436..03b111b649 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 03/02/2018 --- diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 2436883665..ae18f01c72 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md index 417cff25cf..b2757575a6 100644 --- a/windows/client-management/mdm/unifiedwritefilter-ddf.md +++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 67de432346..837be49e57 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 02/23/2018 --- diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index b628189e10..c4858fe6d8 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 02/23/2018 --- diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md index 97a2c276e6..1db424cd03 100644 --- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index fdbdbaed7c..010d58563c 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 04/02/2017 --- diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index 5d2e590301..51a11541d3 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index caa8e9ad15..e7dc68df1b 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 11/01/2017 --- @@ -255,7 +255,14 @@ An optional flag to enable Always On mode. This will automatically connect the V > **Note**  Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active. -  +Preserving user Always On preference + +Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. +Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config +Value: AutoTriggerDisabledProfilesList +Type: REG_MULTI_SZ + Valid values: diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index fa8d530b3d..ffaae7d39e 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 7f839bb83d..6c582f4933 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 02/05/2018 --- diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index b554adc39f..03b49e0560 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 95c20b9f6d..129f56db57 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 65e4a03576..708ac76bd8 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -6,12 +6,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 04/16/2018 +author: MariciaAlforque +ms.date: 06/28/2018 --- # WiFi CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it is in range. @@ -59,8 +61,6 @@ If it exists in the blob, the **keyType** and **protected** elements must come b > **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=618963). -  - The supported operations are Add, Get, Delete, and Replace. **Proxy** @@ -96,6 +96,17 @@ Added in Windows 10, version 1607. Optional. When set to true it enables Web Pr Value type is bool. +**WiFiCost** +Added in Windows 10, next major version. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted. + +Supported values: + +- 1 - Unrestricted - unlimited connection +- 2 - Fixed - capacity constraints up to a certain data limit +- 3 - Variable - paid on per byte basic + +Supported operations are Add, Get, Replace and Delete. Value type is integer. + ## Examples diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index a82d3b6fb2..a4ec65ad3c 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -6,16 +6,201 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 06/26/2017 +author: MariciaAlforque +ms.date: 06/28/2018 --- # WiFi DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML. -Content under development and will be published soon. +The XML below is for Windows 10, next major version. + +``` syntax + + +]> + + 1.2 + + WiFi + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/WiFi + + + + Profile + + + + + + + + + + + + + + + + + + + + + + + + + + + The Profile name of the Wi-Fi network. This is added when WlanXML node is added and deleted when Wlanxml is deleted. + + + + + + + + + + SSID + + + + + + WlanXml + + + + + + + + + XML describing the network configuration and follows Windows WLAN_profile schema. + Link to schema: http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx + + + + + + + + + + + + text/plain + + + + + Proxy + + + + + + + + Optional node. The format is url:port. Configuration of the network proxy (if any). + + + + + + + + + + + + + + text/plain + + + + + ProxyPacUrl + + + + + + + + Optional node. URL to the PAC file location. + + + + + + + + + + + + + + text/plain + + + + + ProxyWPAD + + + + + + + + Optional node: The presence of the field enables WPAD for proxy lookup. + + + + + + + + + + + text/plain + + + + + + + +``` ## Related topics diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index 7137215434..8c6f58a89e 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -5,7 +5,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index 83bd355acb..b7431d69f0 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index 51c5584c13..9521871934 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md new file mode 100644 index 0000000000..5efc199b30 --- /dev/null +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -0,0 +1,615 @@ +--- +title: Win32CompatibilityAppraiser CSP +description: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 07/19/2018 +--- + +# Win32CompatibilityAppraiser CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, next major version. + +The following diagram shows the Storage configuration service provider in tree format. + +![Win32CompatibilityAppraiser CSP diagram](images/provisioning-csp-win32compatibilityappraiser.png) + +**./Vendor/MSFT/Win32CompatibilityAppraiser** +The root node for the Win32CompatibilityAppraiser configuration service provider. + +**CompatibilityAppraiser** +This represents the state of the Compatibility Appraiser. + + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis** +This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data. + + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId** +The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. + +Value type is string. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid** +A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. + +Value type is bool. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested** +A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. + +Value type is bool. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser** +A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser. + +Value type is bool. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum** +An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. + +The values are: +- 0 == Neither the code nor data is of a sufficient version +- 1 == The code version is insufficient but the data version is sufficient +- 2 == The code version is sufficient but the data version is insufficient +- 3 == Both the code and data are of a sufficient version + +Value type is integer. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending** +A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. + +Value type is bool. Supported operation is Get. + +**CompatibilityAppraiser/AppraiserRunResultReport** +This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations. + +For the report XML schema see [Appraiser run result report](#appraiser-run-result-report). + +**UniversalTelemetryClient** +This represents the state of the Universal Telemetry Client, or DiagTrack service. + +**UniversalTelemetryClient/UtcConfigurationDiagnosis** +This represents various settings that affect whether the Universal Telemetry Client can upload data and how much data it can upload. + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn** +An integer value representing what level of telemetry will be uploaded. + +Value type is integer. Supported operation is Get. + +The values are: +- 0 == Security data will be sent +- 1 == Basic telemetry will be sent +- 2 == Enhanced telemetry will be sent +- 3 == Full telemetry will be sent + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn** +An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. + +Value type is integer. Supported operation is Get. + +The values are: +- 0 == Setting is disabled +- 1 == Setting is enabled +- 2 == Setting is not applicable to this version of Windows + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning** +A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. + +Value type is bool. Supported operation is Get. + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled** +A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. + +Value type is bool. Supported operation is Get. + +**UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn** +An integer value representing what websites Internet Explorer will collect telemetry data for. + +Value type is integer. Supported operation is Get. + +The values are: +- 0 == Telemetry collection is disabled +- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones +- 2 == Telemetry collection is enabled for internet websites and restricted website zones +- 3 == Telemetry collection is enabled for all websites +- 0x7FFFFFFF == Telemetry collection is not configured + +**UniversalTelemetryClient/UtcConnectionReport** +This provides an XML representation of the UTC connections during the most recent summary period. + +For the report XML schema, see [UTC connection report](#utc-connection-report). + +**WindowsErrorReporting** +This represents the state of the Windows Error Reporting service. + +**WindowsErrorReporting/WerConfigurationDiagnosis** +This represents various settings that affect whether the Windows Error Reporting service can upload data and how much data it can upload. + +**WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn** +An integer value indicating the amount of WER data that will be uploaded. + +Value type integer. Supported operation is Get. + +The values are: +- 0 == Data will not send due to UTC opt-in +- 1 == Data will not send due to WER opt-in +- 2 == Basic WER data will send but not the complete set of data +- 3 == The complete set of WER data will send + + +**WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting** +An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. + +Value type integer. Supported operation is Get. + +The values are: +- 0 == System telemetry settings are restricting uploads +- 1 == WER basic policies are restricting uploads +- 2 == WER advanced policies are restricting uploads +- 3 == WER consent policies are restricting uploads +- 4 == There are no restrictive settings + +**WindowsErrorReporting/WerConnectionReport** +This provides an XML representation of the most recent WER connections of various types. + +For the report XML schema, see [Windows Error Reporting connection report](#windows-error-reporting-connection-report). + +## XML schema for the reports + +### Appraiser run result report + +``` + + + + CSP schema for the Compatibility Appraiser Diagnostic CSP. + Schema defining the Win32CompatibilityAppraiser\CompatibilityAppraiser\AppraiserRunResultReport CSP node. + Copyright (c) Microsoft Corporation, all rights reserved. + + + + Defines a category of Appraiser run. + + + + + LastSecurityModeRunAttempt - The most recent run that was skipped because the "Allow Telemetry" setting was set to "Security". + + + + + LastEnterpriseRun - The most recent run that was invoked with the "ent" command line. + + + + + LastFatallyErroredRun - The most recent run that returned a failed "ErrorCode". + + + + + LastSuccessfulRun - The most recent run that returned a successful "ErrorCode". + + + + + LastFullSyncRun - The most recent run that attempted to upload a complete set of compatibility data (instead of only new data that was found since the previous run). + + + + + LastSuccessfulFullSyncRun - The most recent run that attempted to upload a complete set of compatibility data (instead of only new data that was found since the previous run) and also returned a successful "ErrorCode". + + + + + LastSuccessfulFromEnterprisePerspectiveRun - The most recent run that returned a successful "EnterpriseErrorCode". + + + + + LastSuccessfulFromEnterprisePerspectiveEnterpriseRun - The most recent run that attempted to upload a complete set of compatibility data (instead of only new data that was found since the previous run) and also returned a successful "EnterpriseErrorCode". + + + + + LastSuccessfulFromEnterprisePerspectiveEnterpriseRun - The most recent run that was invoked with the "ent" command line and also returned a successful "EnterpriseErrorCode". + + + + + + + Represents the most recent run of the Compatibility Appraiser. + + + + + CurrentlyRunning - A boolean representing whether the specified Compatibility Appraiser run is still in progress. + + + + + CrashedOrInterrupted - A boolean representing whether the specified Compatibility Appraiser run ended before it finished scanning for compatibility data. + + + + + ErrorCode - An integer which is the HRESULT error code, of a type that is relevant to any computer, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code. + + + + + EnterpriseErrorCode - An integer which is the HRESULT error code, of a type that is relevant mainly to enterprise computers, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code. + + + + + RunStartTimestamp - The time when the specified Compatibility Appraiser run started. + + + + + RunEndTimestamp - The time when the specified Compatibility Appraiser run ended. + + + + + ComponentWhichCausedErrorCode - The name of the internal component, if any, which caused the ErrorCode node to be a failure value during the specified Compatibility Appraiser run. Note that the ErrorCode node might be a failure value for a reason other than an internal component failure. + + + + + ErroredComponent - The name of one of the internal components, if any, which encountered failure HRESULT codes during the specified Compatibility Appraiser run. A failure of an internal component may not necessarily cause the ErrorCode node to contain a failed HRESULT code. + + + + + + + Represents the most recent run of the Compatibility Appraiser that satisfied a particular condition. + + + + + ErrorCode - An integer which is the HRESULT error code, of a type that is relevant to any computer, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code. + + + + + EnterpriseErrorCode - An integer which is the HRESULT error code, of a type that is relevant mainly to enterprise computers, from the specified Compatibility Appraiser run. This may be a successful HRESULT code or a failure HRESULT code. + + + + + RunStartTimestamp - The time when the specified Compatibility Appraiser run started. + + + + + RunEndTimestamp - The time when the specified Compatibility Appraiser run ended. + + + + + ComponentWhichCausedErrorCode - The name of the internal component, if any, which caused the ErrorCode node to be a failure value during the specified Compatibility Appraiser run. Note that the ErrorCode node might be a failure value for a reason other than an internal component failure. + + + + + ErroredComponent - The name of one of the internal components, if any, which encountered failure HRESULT codes during the specified Compatibility Appraiser run. A failure of an internal component may not necessarily cause the ErrorCode node to contain a failed HRESULT code. + + + + + + RunCategory - A string which details the category of Appraiser run. + + + + + + Defines the latest run results for all known categories. + + + + + LastRunResult - Represents the most recent run of the Compatibility Appraiser. + + + + + LastRunResultForCategory - Represents the most recent run of the Compatibility Appraiser that satisfied a particular condition. + + + + + + +``` + +### UTC connection report + +``` + + + + CSP schema for the Compatibility Appraiser Diagnostic CSP. + Schema defining the Win32CompatibilityAppraiser\UniversalTelemetryClient\UtcConnectionReport CSP node. + Copyright (c) Microsoft Corporation, all rights reserved. + + + + Defines the latest UTC connection results, if any. + + + + + ConnectionSummaryStartingTimestamp - The starting time of the most recent UTC summary window. + + + + + ConnectionSummaryEndingTimestamp - The ending time of the most recent UTC summary window. + + + + + TimestampOfLastSuccessfulUpload - The ending time of the most recent UTC summary window that included a successful data upload. + + + + + LastHttpErrorCode - The HTTP error code from the last failed internet connection. + + + + + ProxyDetected - A boolean value representing whether an internet connection during the summary window was directed through a proxy. + + + + + ConnectionsSuccessful - An integer value summarizing the success of internet connections during the summary window. The values are: 0 == "All connections failed", 1 == "Some connections succeeded and some failed", and 2 == "All connections succeeded". + + + + + DataUploaded - An integer value summarizing the success of data uploads during the summary window. The values are: 0 == "All data was dropped", 1 == "Some data was dropped and some was sent successfully", 2 == "All data was sent successfully", and 3 == "No data was present to upload". + + + + + AnyCertificateValidationFailures - A boolean value representing whether there were any failed attempts to validate certificates in the summary window. + + + + + LastCertificateValidationFailureCode - The most recent error code from a failed attempt at validating a certificate. + + + + + + + Lists results of UTC connections. + + + + + Defines the latest UTC connection results, if any. + + + + + + +``` + +### Windows Error Reporting connection report + +``` + + + + CSP schema for the Compatibility Appraiser Diagnostic CSP. + Schema defining the Win32CompatibilityAppraiser\WindowsErrorReporting\WerConnectionReport CSP node. + Copyright (c) Microsoft Corporation, all rights reserved. + + + + LastNormalUploadSuccess - A summary of the last time WER successfully performed a normal data upload, if any. + + + + + Timestamp - The time when WER attempted the upload. + + + + + UploadDuration - The time taken while attempting the upload. + + + + + PayloadSize - The size of the payload that WER attempted to upload. + + + + + Protocol - The communication protocol that WER used during the upload. + + + + + Stage - The processing stage that WER was in when the upload ended. + + + + + BytesUploaded - The number of bytes that WER successfully uploaded. + + + + + ServerName - The name of the server that WER attempted to upload data to. + + + + + + + LastNormalUploadFailure - A summary of the last time WER failed to perform a normal data upload, if any. + + + + + Timestamp - The time when WER attempted the upload. + + + + + HttpExchangeResult - The result of the HTTP connection between WER and the server that it tried to upload to. + + + + + UploadDuration - The time taken while attempting the upload. + + + + + PayloadSize - The size of the payload that WER attempted to upload. + + + + + Protocol - The communication protocol that WER used during the upload. + + + + + Stage - The processing stage that WER was in when the upload ended. + + + + + RequestStatusCode - The status code returned by the server in response to the upload request. + + + + + BytesUploaded - The number of bytes that WER successfully uploaded. + + + + + ServerName - The name of the server that WER attempted to upload data to. + + + + + TransportHr - The HRESULT code encountered when transferring data to the server. + + + + + + + LastResumableUploadSuccess - A summary of the last time WER successfully performed a resumable data upload, if any. + + + + + Timestamp - The time when WER attempted the upload. + + + + + LastBlockId - The identifier of the most recent block of the payload that WER attempted to upload. + + + + + TotalBytesUploaded - The number of bytes that WER successfully uploaded so far, possibly over multiple resumable upload attempts. + + + + + + + LastResumableUploadFailure - A summary of the last time WER failed to perform a resumable data upload, if any. + + + + + Timestamp - The time when WER attempted the upload. + + + + + HttpExchangeResult - The result of the HTTP connection between WER and the server that it tried to upload to. + + + + + LastBlockId - The identifier of the most recent block of the payload that WER attempted to upload. + + + + + TotalBytesUploaded - The number of bytes that WER successfully uploaded so far, possibly over multiple resumable upload attempts. + + + + + + + Defines the latest WER connection results, if any. + + + + + LastNormalUploadSuccess - A summary of the last time WER successfully performed a normal data upload, if any. + + + + + LastNormalUploadFailure - A summary of the last time WER failed to perform a normal data upload, if any. + + + + + LastResumableUploadSuccess - A summary of the last time WER successfully performed a resumable data upload, if any. + + + + + LastResumableUploadFailure - A summary of the last time WER failed to perform a resumable data upload, if any. + + + + + + + Lists results of WER connections. + + + + + Defines the latest WER connection results, if any. + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md new file mode 100644 index 0000000000..9b8a7d81c5 --- /dev/null +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -0,0 +1,537 @@ +--- +title: Win32CompatibilityAppraiser DDF file +description: XML file containing the device description framework +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 07/19/2018 +--- + +# Win32CompatibilityAppraiser DDF file + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **Win32CompatibilityAppraiser** configuration service provider. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is for Windows 10, next major version. + +``` syntax + +]> + + 1.2 + + Win32CompatibilityAppraiser + ./Device/Vendor/MSFT + + + + + The root node for the Win32CompatibilityAppraiser configuration service provider. + + + + + + + + + + + com.microsoft/1.0/MDM/Win32CompatibilityAppraiser + + + + CompatibilityAppraiser + + + + + This represents the state of the Compatibility Appraiser. + + + + + + + + + + CompatibilityAppraiser + + + + + + AppraiserConfigurationDiagnosis + + + + + This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data. + + + + + + + + + + AppraiserConfigurationDiagnosis + + + + + + CommercialId + + + + + The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. + + + + + + + + + + CommercialId + + text/plain + + + + + CommercialIdSetAndValid + + + + + A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. + + + + + + + + + + CommercialIdSetAndValid + + text/plain + + + + + AllTargetOsVersionsRequested + + + + + A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. + + + + + + + + + + AllTargetOsVersionsRequested + + text/plain + + + + + OsSkuIsValidForAppraiser + + + + + A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser. + + + + + + + + + + OsSkuIsValidForAppraiser + + text/plain + + + + + AppraiserCodeAndDataVersionsAboveMinimum + + + + + An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version". + + + + + + + + + + AppraiserCodeVersionAboveMinimum + + text/plain + + + + + RebootPending + + + + + A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. + + + + + + + + + + RebootPending + + text/plain + + + + + + AppraiserRunResultReport + + + + + This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations. + + + + + + + + + + AppraiserRunResultReport + + text/plain + + + + + + UniversalTelemetryClient + + + + + This represents the state of the Universal Telemetry Client, or DiagTrack service. + + + + + + + + + + UniversalTelemetryClient + + + + + + UtcConfigurationDiagnosis + + + + + This represents various settings that affect whether the Universal Telemetry Client can upload data and how much data it can upload. + + + + + + + + + + UtcConfigurationDiagnosis + + + + + + TelemetryOptIn + + + + + An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent". + + + + + + + + + + TelemetryOptIn + + text/plain + + + + + CommercialDataOptIn + + + + + An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows". + + + + + + + + + + CommercialDataOptIn + + text/plain + + + + + DiagTrackServiceRunning + + + + + A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. + + + + + + + + + + DiagTrackServiceRunning + + text/plain + + + + + MsaServiceEnabled + + + + + A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. + + + + + + + + + + MsaServiceEnabled + + text/plain + + + + + InternetExplorerTelemetryOptIn + + + + + An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured". + + + + + + + + + + InternetExplorerTelemetryOptIn + + text/plain + + + + + + UtcConnectionReport + + + + + This provides an XML representation of the UTC connections during the most recent summary period. + + + + + + + + + + UtcConnectionReport + + text/plain + + + + + + WindowsErrorReporting + + + + + This represents the state of the Windows Error Reporting service. + + + + + + + + + + WindowsErrorReporting + + + + + + WerConfigurationDiagnosis + + + + + This represents various settings that affect whether the Windows Error Reporting service can upload data and how much data it can upload. + + + + + + + + + + WerConfigurationDiagnosis + + + + + + WerTelemetryOptIn + + + + + An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send". + + + + + + + + + + WerTelemetryOptIn + + text/plain + + + + + MostRestrictiveSetting + + + + + An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings". + + + + + + + + + + MostRestrictiveSetting + + text/plain + + + + + + WerConnectionReport + + + + + This provides an XML representation of the most recent WER connections of various types. + + + + + + + + + + WerConnectionReport + + text/plain + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index a2f41aef35..0035d1b6dc 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 4e19920eef..642dc9ac95 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 11/01/2017 --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index d475e14ee4..eee40a5341 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 80bd272f42..6f359562af 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -5,12 +5,14 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/22/2018 +author: MariciaAlforque +ms.date: 08/02/2018 --- # WindowsDefenderApplicationGuard CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709. @@ -19,20 +21,19 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se ![windowsdefenderapplicationguard csp](images/provisioning-csp-windowsdefenderapplicationguard.png) **./Device/Vendor/MSFT/WindowsDefenderApplicationGuard** -

                  Root node. Supported operation is Get.

                  -

                  +Root node. Supported operation is Get. **Settings** -

                  Interior node. Supported operation is Get.

                  +Interior node. Supported operation is Get. **Settings/AllowWindowsDefenderApplicationGuard** -

                  Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                  +Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment. - 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container. **Settings/ClipboardFileType** -

                  Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                  +Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Disables content copying. - 1 - Allow text copying. @@ -40,7 +41,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se - 3 - Allow text and image copying. **Settings/ClipboardSettings** -

                  This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete

                  +This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete - 0 (default) - Completely turns Off the clipboard functionality for the Application Guard. - 1 - Turns On clipboard operation from an isolated session to the host @@ -51,7 +52,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se > Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. **Settings/PrintingSettings** -

                  This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                  +This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Disables all print functionality (default) - 1 - Enables only XPS printing @@ -70,13 +71,13 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se - 15 - Enables all printing **Settings/BlockNonEnterpriseContent** -

                  This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                  +This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete. -- 0 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard. -- 1 (default) - Non-enterprise sites can open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. +- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.. +- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard. **Settings/AllowPersistence** -

                  This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                  +This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. - 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. @@ -93,29 +94,62 @@ Added in Windows 10, version 1803. This policy setting allows you to determine w - 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system. -**Status** -

                  Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get. +**Settings/FileTrustCriteria** +Placeholder for future use. Do not use in production code. -Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode +**Settings/FileTrustOriginRemovableMedia** +Placeholder for future use. Do not use in production code. + +**Settings/FileTrustOriginNetworkShare** +Placeholder for future use. Do not use in production code. + +**Settings/FileTrustOriginMarkOfTheWeb** +Placeholder for future use. Do not use in production code. + +**Settings/CertificateThumbprints** +Added in Windows 10, next major version. This policy setting allows certain Root Certificates to be shared with the Windows Defender Application Guard container. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. You can specify multiple certificates using a comma to separate the thumbprints for each certificate you want to transfer. + +Example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924 + +If you disable or don’t configure this setting, certificates are not shared with the Windows Defender Application Guard container. + +**Settings/AllowCameraMicrophoneRedirection** +Added in Windows 10, next major version. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +If you enable this policy, applications inside Windows Defender Application Guard will be able to access the camera and microphone on the user’s device. + +If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the user’s device. + +> [!Important] +> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed. + +**Status** +Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get. + +Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode Bit 1 - Set to 1 when the client machine is Hyper-V capable Bit 2 - Set to 1 when the client machine has a valid OS license and SKU Bit 3 - Set to 1 when WDAG installed on the client machine Bit 4 - Set to 1 when required Network Isolation Policies are configured Bit 5 - Set to 1 when the client machine meets minimum hardware requirements -

                  - **InstallWindowsDefenderApplicationGuard** -

                  Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.

                  +Initiates remote installation of Application Guard feature. Supported operations are Get and Execute. - Install - Will initiate feature install - Uninstall - Will initiate feature uninstall **Audit** -

                  Interior node. Supported operation is Get

                  +Interior node. Supported operation is Get **Audit/AuditApplicationGuard** -

                  This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.

                  +This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete. - 0 (default) - - Audit event logs aren't collected for Application Guard. - 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard. diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index a5571745b5..dfda523b86 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -5,18 +5,20 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 03/22/2018 +author: MariciaAlforque +ms.date: 08/02/2018 --- # WindowsDefenderApplicationGuard DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -This XML is for Windows 10, version 1803. +This XML is for Windows 10, next major version. ``` syntax @@ -42,7 +44,7 @@ This XML is for Windows 10, version 1803. - com.microsoft/1.2/MDM/WindowsDefenderApplicationGuard + com.microsoft/1.3/MDM/WindowsDefenderApplicationGuard @@ -248,6 +250,147 @@ This XML is for Windows 10, version 1803. + + FileTrustCriteria + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginRemovableMedia + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginNetworkShare + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginMarkOfTheWeb + + + + + + + + + + + + + + + + + + text/plain + + + + + CertificateThumbprints + + + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCameraMicrophoneRedirection + + + + + + + + + + + + + + + + + + text/plain + + + Status diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 5c09c194ae..1e61634c31 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -6,12 +6,15 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 10/09/2017 +author: MariciaAlforque +ms.date: 07/25/2018 --- # WindowsLicensing CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 desktop and mobile devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 desktop devices. The following diagram shows the WindowsLicensing configuration service provider in tree format. @@ -157,8 +160,27 @@ The data type is a chr. The supported operation is Get. +**SMode** +Interior node for managing S mode. +**SMode/SwitchingPolicy** +Added in Windows 10, next major version. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete) +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Supported values: +- 0 - No Restriction: The user is allowed to switch the device out of S mode. +- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. + +**SMode/SwitchFromSMode** +Added in Windows 10, next major version. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) + +Supported operation is Execute. + +**SMode/Status** +Added in Windows 10, next major version. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example) + +Value type is integer. Supported operation is Get. ## SyncML examples @@ -293,6 +315,140 @@ The supported operation is Get.                   ``` +**Get S mode status** + +``` + + + + 6 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/Status + + + + + + + +``` + +**Execute SwitchFromSMode** + +``` + + + + 5 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchFromSMode + + + + null + text/plain + + + + + + + +``` + +**Add S mode SwitchingPolicy** + +``` + + + + 4 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + int + text/plain + + 1 + + + + + +``` + +**Get S mode SwitchingPolicy** + +``` + + + + 2 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + + + + +``` + +**Replace S mode SwitchingPolicy** + +``` + + + + 1 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + int + text/plain + + 1 + + + + + +``` + +**Delete S mode SwitchingPolicy** + +``` + + + + 3 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + + + + +``` ## Related topics diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 227863bf2d..8da5c10b5c 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -6,17 +6,20 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower -ms.date: 12/05/2017 +author: MariciaAlforque +ms.date: 07/16/2017 --- # WindowsLicensing DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, next major version. ``` syntax @@ -42,7 +45,7 @@ The XML below is the current version for this CSP. - com.microsoft/1.2/MDM/WindowsLicensing + com.microsoft/1.3/MDM/WindowsLicensing @@ -294,21 +297,101 @@ The XML below is the current version for this CSP. + + SMode + + + + + + + + + + + + + + + + + + + SwitchingPolicy + + + + + + + + Policy that determines whether a consumer can switch the device out of S mode + + + + + + + + + + + + + + text/plain + + + + + SwitchFromSMode + + + + + Switches a device out of S mode if possible. Does not reboot. + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request. + + + + + + + + + + + + + + text/plain + + + + -``` - -## Related topics - - -[WindowsLicensing configuration service provider](windowslicensing-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md index 7bca9db9ee..c7ebdf2171 100644 --- a/windows/client-management/mdm/windowssecurityauditing-csp.md +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md index 4deb322275..666177f587 100644 --- a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md +++ b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md @@ -6,7 +6,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 12/05/2017 --- diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md new file mode 100644 index 0000000000..6a06c59879 --- /dev/null +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -0,0 +1,34 @@ +--- +title: WiredNetwork CSP +description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/27/2018 +--- + +# WiredNetwork CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, next major version. + +The following diagram shows the WiredNetwork configuration service provider in tree format. + +![WiredNetwork CSP diagram](images/provisioning-csp-wirednetwork.png) + +**./Device/Vendor/MSFT/WiredNetwork** +Root node. + +**LanXML** +Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx. + +Supported operations are Add, Get, Replace, and Delete. Value type is string. + +**EnableBlockPeriod** + Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + +Supported operations are Add, Get, Replace, and Delete. Value type is integer. \ No newline at end of file diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md new file mode 100644 index 0000000000..0a156256a0 --- /dev/null +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -0,0 +1,167 @@ +--- +title: WiredNetwork DDF file +description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 06/28/2018 +--- + +# WiredNetwork DDF file + + +This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider. This CSP was added in Windows 10, version 1511. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + WiredNetwork + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + + LanXML + + + + + + + + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + + + + + + + + + + + text/plain + + + + + EnableBlockPeriod + + + + + + + + Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + + + + + + + + + + + text/plain + + + + + + WiredNetwork + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + + LanXML + + + + + + + + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + + + + + + + + + + + text/plain + + + + + EnableBlockPeriod + + + + + + + + Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. + + + + + + + + + + + text/plain + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 04bf8de073..05490b9d7c 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -9,7 +9,7 @@ ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows -author: nickbrower +author: MariciaAlforque ms.date: 06/26/2017 --- diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 1743b24de5..5cdfd4830b 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/24/2017 --- diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md index 107c7ea65a..92ca81cf5c 100644 --- a/windows/client-management/reset-a-windows-10-mobile-device.md +++ b/windows/client-management/reset-a-windows-10-mobile-device.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile author: jdeckerms -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index a330013d0d..56809c2ebb 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile, devices, security -ms.localizationpriority: high +ms.localizationpriority: medium author: AMeeus ms.date: 09/21/2017 --- diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 91abec238e..553e805d78 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.author: elizapo author: kaushika-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 11/08/2017 --- # Top support solutions for Windows 10 diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md new file mode 100644 index 0000000000..c1f35268c3 --- /dev/null +++ b/windows/client-management/windows-version-search.md @@ -0,0 +1,48 @@ +--- +title: What version of Windows am I running? +description: Discover which version of Windows you are running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or Semi-Annual Channel. +keywords: Long-Term Servicing Channel, LTSC, LTSB, Semi-Annual Channel, SAC, Windows, version, OS Build +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: kaushika-msft +ms.author: MikeBlodge +ms.date: 04/30/2018 +--- + +# What version of Windows am I running? + +To determine if your device is enrolled in the [Long-Term Servicing Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. + +## System Properties +Click **Start** > **Settings** > **Settings** > click **About** from the bottom of the left-hand menu + +You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: + +![screenshot of the system properties window for a device running Windows 10](images/systemcollage.png) + +## Using Keyword Search +You can simply type the following in the search bar and press **ENTER** to see version details for your device. + +**“winver”** + +![screenshot of the About Windows display text](images/winver.png) + +**“msinfo”** or **"msinfo32"** to open **System Information**: + +![screenshot of the System Information display text](images/msinfo32.png) + +## Using Command Prompt or PowerShell +At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER** + +![screenshot of system information display text](images/refcmd.png) + +At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: + +![screenshot of software licensing manager](images/slmgr_dlv.png) + +## What does it all mean? + +The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It’s important to remember that the LTSC model is primarily for specialized devices. + +In the Semi-Annual Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 94d5785c9f..dad54fdffa 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,23 +1,20 @@ # [Configure Windows 10](index.md) -## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) -## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) -## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) -## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -## [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) -## [Windows 10, version 1709 diagnostic data for the Full level](windows-diagnostic-data.md) -## [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) -## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) -## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -## [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md) ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) -## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) -### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) -### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) -### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) -### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) +## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md) +### [Prepare a device for kiosk configuration](kiosk-prepare.md) +### [Set up digital signs on Windows 10](setup-digital-signage.md) +### [Set up a single-app kiosk](kiosk-single-app.md) +### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) +### [More kiosk methods and reference information](kiosk-additional-reference.md) +#### [Validate your kiosk configuration](kiosk-validate.md) +#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) +#### [Policies enforced on kiosk devices](kiosk-policies.md) +#### [Assigned access XML reference](kiosk-xml.md) +#### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) +#### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) +#### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) -#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md) -#### [Multi-app kiosk XML reference](multi-app-kiosk-xml.md) ## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) ### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) @@ -72,6 +69,7 @@ ### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md) ### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) ### [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) +#### [AccountManagement](wcd/wcd-accountmanagement.md) #### [Accounts](wcd/wcd-accounts.md) #### [ADMXIngestion](wcd/wcd-admxingestion.md) #### [ApplicationManagement](wcd/wcd-applicationmanagement.md) @@ -113,7 +111,8 @@ #### [OtherAssets](wcd/wcd-otherassets.md) #### [Personalization](wcd/wcd-personalization.md) #### [Policies](wcd/wcd-policies.md) -#### [ProvisioningCommands](wcd/wcd-provisioningcommands.md) +#### [ProvisioningCommands](wcd/wcd-provisioningcommands.md) +#### [RcsPresence](wcd/wcd-rcspresence.md) #### [SharedPC](wcd/wcd-sharedpc.md) #### [Shell](wcd/wcd-shell.md) #### [SMISettings](wcd/wcd-smisettings.md) @@ -130,6 +129,7 @@ #### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md) #### [UsbErrorsOEMOverride](wcd/wcd-usberrorsoemoverride.md) #### [WeakCharger](wcd/wcd-weakcharger.md) +#### [WindowsHelloForBusiness](wcd/wcd-windowshelloforbusiness.md) #### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md) #### [WLAN](wcd/wcd-wlan.md) #### [Workplace](wcd/wcd-workplace.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 457c50223b..6ec85f01c1 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -6,15 +6,68 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jdeckerms -ms.date: 04/13/2018 +ms.author: jdecker +ms.topic: article +ms.date: 08/03/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## August 2018 + +New or changed topic | Description +--- | --- +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added instructions for specifying multiple URLs in configuration settings for Kiosk Browser. + +## July 2018 + +New or changed topic | Description +--- | --- +[Configure kiosks and child topics](kiosk-methods.md) | Reorganized the information for configuring kiosks into new topics, and moved [Set up shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md). + +## June 2018 + +New or changed topic | Description +--- | --- +[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Updated instructions for using Microsoft Intune to configure a kiosk. Added instructions for showing local accounts on the sign-in screen for domain-joined devices. +[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added new Group Policy to remove "Recently added" list from Start menu. +|[Add image for secondary tiles](start-secondary-tiles.md#using-mdm) | Updated mobile device management (MDM) instructions. | + +## May 2018 + +New or changed topic | Description +--- | --- +[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Added note that Wi-Fi Sense is no longer available. +Topics about Windows 10 diagnostic data | Moved to [Windows Privacy](https://docs.microsoft.com/windows/privacy/). +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added information on Kiosk Browser settings and URL filtering. +[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added details of event log entries to check for when customization is not applied as expected. +[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | Added Active Directory domain account to provisioning method. + +## RELEASE: Windows 10, version 1803 + +The topics in this library have been updated for Windows 10, version 1803. The following new topics have been added: + +- Windows Configuration Designer setting: [AccountManagement](wcd/wcd-accountmanagement.md) +- Windows Configuration Designer setting: [RcsPresence](wcd/wcd-rcspresence.md) + +The following topics were moved into the [Privacy](/windows/privacy/index) library: + +- [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) +- [Diagnostic Data Viewer Overview](/windows/privacy/diagnostic-data-viewer-overview) +- [Windows 10, version 1803 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields) +- [Windows 10, version 1709 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) +- [Windows 10, version 1709 diagnostic data for the Full level](/windows/privacy/windows-diagnostic-data) +- [Windows 10, version 1703 diagnostic data for the Full level](/windows/privacy/windows-diagnostic-data-1703) +- [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](/windows/privacy/gdpr-win10-whitepaper) +- [Manage connections from Windows operating system components to Microsoft services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Manage Windows 10 connection endpoints](/windows/privacy/manage-windows-endpoints-version-1709) + ## April 2018 New or changed topic | Description @@ -27,7 +80,7 @@ New or changed topic | Description New or changed topic | Description --- | --- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update. -Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer. +Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it **Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education** and reorganized the information to make the choices clearer. ## February 2018 diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index 495f5b8cb3..2317f9ef8e 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -6,8 +6,10 @@ keywords: ["group policy", "start menu", "start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerms -ms.localizationpriority: high +author: coreyp +ms.author: coreyp +ms.topic: article +ms.localizationpriority: medium ms.date: 11/28/2017 --- diff --git a/windows/configuration/configure-devices-without-mdm.md b/windows/configuration/configure-devices-without-mdm.md deleted file mode 100644 index 6dbf9464c3..0000000000 --- a/windows/configuration/configure-devices-without-mdm.md +++ /dev/null @@ -1,203 +0,0 @@ ---- -title: Configure devices without MDM (Windows 10) -description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10. -keywords: runtime provisioning, provisioning package -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile, devices -author: jdeckerms -ms.localizationpriority: medium -ms.date: 07/27/2017 ---- - -# Configure devices without MDM - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. - -Sometimes mobile device management (MDM) isn't available to you for setting up a device because the device isn't connected to your network, or because an employee is remote and needs a fast replacement for a work device. You might not use MDM in your organization at all, but would like an easy way to place a standard configuration on multiple devices. - -Rather than wiping a device and applying a new system image, in Windows 10 you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. - -You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. - -Provisioning packages are simple for employees to install. And when they remove a provisioning package, policies that the package applied to their device are removed. - -## Advantages - - -- You can configure new devices without re-imaging. - -- Works on both mobile and desktop devices. - -- No network connectivity required. - -- Simple for people to apply. - -- Ensures compliance and security before a device is enrolled in MDM. - -## Typical use cases - - -- **Set up a new off-the-shelf device for an employee** - - Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, domain join with service account, or company application. - -- **Configure an off-the-shelf mobile device to be used as a point of sale or inventory terminal** - - Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, security policies, company application, or assigned access (also known as [kiosk mode](set-up-a-device-for-anyone-to-use.md). - -- **Help employees set up personally-owned devices to use for work** - - Package might include company root certificate, Wi-Fi profiles, security policies, or company application. - - > [!NOTE]   - > Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device. - -   - -- **Repurpose devices by returning the device to a specific state between users** - - Package might include computer name, company root certificate, Wi-Fi profile, or company application. - - > [!NOTE]   - > To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience. - -   - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Create a provisioning package - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - -When you run Windows ICD, you have several options for creating your package. - -![Simple or advanced provisioning](images/ICDstart-option.png). - -- Choose **Simple provisioning** to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. -- Choose **Provision school devices** to quickly create provisioning packages that configure settings and policies tailored for students. Learn more about using Windows ICD to provision student PCs (link tb added). -- Choose **Advanced provisioning** to create provisioning packages in the advanced settings editor and include classic (Win32) and Universal Windows Platform (UWP) apps for deployment on end-user devices. - -> [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -### Using Simple provisioning - -1. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). -2. Click **Simple provisioning**. -2. Name your project and click **Finish**. -3. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. -4. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. - - Home to Education - - Pro to Education - - Pro to Enterprise - - Enterprise to Education - - Mobile to Mobile Enterprise -5. Click **Set up network**. -6. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. -7. Click **Enroll into Active Directory**. -8. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account. - - > [!WARNING] - > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - > - >- Use a least-privileged domain account to join the device to the domain. - >- Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - >- [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. - -9. Click **Finish**. -10. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. -11. Click **Create**. - - - -### Using Advanced provisioning - - - -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). -2. Click **Advanced provisioning**. -3. Choose **New provisioning package**. -3. Name your project, and click **Next**. -4. Choose **All Windows editions**, **All Windows desktop editions**, or **All Windows mobile editions**, depending on the devices you intend to provision, and click **Next**. -5. On **New project**, click **Finish**. The workspace for your package opens. -6. Configure settings. [Learn more about specific settings in provisioning packages.]( https://go.microsoft.com/fwlink/p/?LinkId=615916) -7. On the **File** menu, select **Save.** -8. On the **Export** menu, select **Provisioning package**. -9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -10. Set a value for **Package Version**. - > [!TIP]   - > You can make changes to existing packages and change the version number to update previously applied packages. -   -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - > [!IMPORTANT]   - > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. -   -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. - Optionally, you can click **Browse** to change the default output location. -13. Click **Next**. -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - Shared network folder - - SharePoint site - - Removable media (USB/SD) - - Email - - USB tether (mobile only) - -Learn more: [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651) - -## Apply package - - -On a desktop computer, the employee goes to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in local storage, on removable media, or at a URL. - -![add a package option](images/package.png) - -On a mobile device, the employee goes to **Settings** > **Accounts** > **Provisioning.** > **Add a package**, and selects the package on removable media to install. - -![add provisioning package on phone](images/phoneprovision.png) - -## Manage a package - - -- Users can view details or delete package (if policy allows deletion); only user-installed packages are listed. - -- Deleting a package removes settings, profiles, certificates, and apps it contains. - -- Use policies to disable manual deletion of packages, installation of unsigned packages, or the installation of any additional packages. - -- Update content by installing a new package with same name and new version number. - -- Optionally, keep packages when you reset a mobile device. When you reset a desktop, runtime packages are removed. - - ![reset a device](images/resetdevice.png) - -## Learn more - - -- [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -  - -  - - - - - diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index ac50964c8f..6d89596e32 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -6,7 +6,9 @@ ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 01/18/2018 --- # Configure Windows 10 taskbar @@ -38,6 +40,7 @@ The following example shows how apps will be pinned: Windows default apps to the * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. * If you are only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file. 2. Edit and save the XML file. You can use [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path to identify the apps to pin to the taskbar. + * Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>. * Use `` and [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) to pin Universal Windows Platform apps. * Use `` and Desktop Application Link Path to pin desktop applications. 3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index 6b93ce1102..010c42f839 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index 9c79b266ad..a646a2dcb0 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 1b743a1911..0e837d83f8 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 1621976e24..3221620058 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 7e48ef64a7..6a00068066 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 830f7782ae..4cf4390dff 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 96791c86c2..120cab00f0 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index 1218dc7509..d0321e5668 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 4504ed425f..2e7ac51a07 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index d2025be11b..855c5bd6e9 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 7cb8d019ef..b71fc4fb00 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index 218fc912e2..260faf25db 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index b12e6ac6a0..bdc80b5bab 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index abe0b15cb3..f7a88cdb95 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 4e90a14bab..14f64e2e91 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: lizross ms.date: 10/05/2017 --- diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 2b16353cf8..4c3a24a318 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -7,7 +7,9 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 10/16/2017 --- @@ -89,9 +91,9 @@ When you have the Start layout that you want your users to see, use the [Export- **To export the Start layout to an .xml file** -1. Right Click Start, select **Windows PowerShell (Admin)**. +1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**. -2. At the Administrator: Windows PowerShell command prompt, enter the following command: +2. At the Windows PowerShell command prompt, enter the following command: `Export-StartLayout –path .xml ` diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 41f82753c8..23079316c5 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -7,8 +7,9 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 11/15/2017 --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 0fd4cae9da..2edbb87a07 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -7,6 +7,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms +ms.topic: article +ms.author: jdecker ms.localizationpriority: medium ms.date: 02/08/2018 --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index c681c90ebd..9fcf13b975 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -7,6 +7,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium ms.date: 11/15/2017 --- diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index db93aea7b6..2ef8944586 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,14 +1,15 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10) -description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. +description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: jdecker -ms.date: 10/20/2017 +ms.topic: article +ms.date: 08/03/2018 --- # Guidelines for choosing an app for assigned access (kiosk mode) @@ -42,25 +43,103 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not supported for assigned access. +In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. -If you use a web browser as your assigned access app, consider the following tips: -- You can download browsers that are optimized to be used as a kiosk from the Microsoft Store. -- You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app: - - [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/) - - [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx) - - [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0) +**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education). + +1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) +2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps) +3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md). + +>[!NOTE] +>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). + +### Kiosk Browser settings + +Kiosk Browser settings | Use this setting to +--- | --- +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

                  For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

                  If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. +Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. +Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. +Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. +Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. +Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. + +>[!IMPORTANT] +>To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: +> +> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. +>2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +>3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). +>4. Save the XML file. +>5. Open the project again in Windows Configuration Designer. +>6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. + + +>[!TIP] +>To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information: +>- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton +>- Data type: Integer +>- Value: 1 + + +#### Rules for URLs in Kiosk Browser settings + +Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home). + +URLs can include: +- A valid port value from 1 to 65,535. +- The path to the resource. +- Query parameters. + +Additional guidelines for URLs: + +- If a period precedes the host, the policy filters exact host matches only. +- You cannot use user:pass fields. +- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence. +- The policy searches wildcards (*) last. +- The optional query is a set of key-value and key-only tokens delimited by '&'. +- Key-value tokens are separated by '='. +- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching. + +### Examples of blocked URLs and exceptions + +The following table describes the results for different combinations of blocked URLs and blocked URL exceptions. + +Blocked URL rule | Block URL exception rule | Result +--- | --- | --- +`*` | `contoso.com`
                  `fabrikam.com` | All requests are blocked unless it is to contoso.com, fabrikam.com, or any of their subdomains. +`contoso.com` | `mail.contoso.com`
                  `.contoso.com`
                  `.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. +`youtube.com` | `youtube.com/watch?v=v1`
                  `youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). + +The following table gives examples for blocked URLs. + +Entry | Result +--- | --- +`contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com +`https://*` | Blocks all HTTPS requests to any domain. +`mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com +`.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. +`.www.contoso.com` | Blocks www.contoso.com but not its subdomains. +`*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. +`*:8080` | Blocks all requests to port 8080. +`contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. +`192.168.1.2` | Blocks requests to 192.168.1.2. +`youtube.com/watch?v=V1` | Blocks youtube video with id V1. + +### Other browsers + +>[!NOTE] +>Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not currently supported for assigned access. + + +You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app: +- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/) +- [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx) +- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0) -**To block access to the file system from Internet Explorer's web address bar** -1. On the Start screen, type the following: - `gpedit.msc` -2. Press **Enter** or click the gpedit icon to launch the group policy editor. -3. In the group policy editor, navigate to **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**. -4. Select **Remove Run menu from Start Menu**, select **Disabled**, and click **Apply**. Disabling this policy prevents users from entering the following into the Internet Explorer Address Bar: - - A UNC path (\\\\*server*\\\\*share*) - - A local drive (C:\\) - - A local folder (\temp) ## Secure your information diff --git a/windows/configuration/images/kiosk-desktop.PNG b/windows/configuration/images/kiosk-desktop.PNG new file mode 100644 index 0000000000..cf74c646c7 Binary files /dev/null and b/windows/configuration/images/kiosk-desktop.PNG differ diff --git a/windows/configuration/images/kiosk-fullscreen-sm.png b/windows/configuration/images/kiosk-fullscreen-sm.png new file mode 100644 index 0000000000..b096d6837d Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen-sm.png differ diff --git a/windows/configuration/images/kiosk-fullscreen.PNG b/windows/configuration/images/kiosk-fullscreen.PNG new file mode 100644 index 0000000000..37ccd4f8a4 Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen.PNG differ diff --git a/windows/configuration/images/kiosk-intune.PNG b/windows/configuration/images/kiosk-intune.PNG new file mode 100644 index 0000000000..2cbe25c6a5 Binary files /dev/null and b/windows/configuration/images/kiosk-intune.PNG differ diff --git a/windows/configuration/images/kiosk-settings.PNG b/windows/configuration/images/kiosk-settings.PNG new file mode 100644 index 0000000000..51a4338371 Binary files /dev/null and b/windows/configuration/images/kiosk-settings.PNG differ diff --git a/windows/configuration/images/kiosk-wizard.png b/windows/configuration/images/kiosk-wizard.png new file mode 100644 index 0000000000..160e170e5c Binary files /dev/null and b/windows/configuration/images/kiosk-wizard.png differ diff --git a/windows/configuration/images/kiosk.png b/windows/configuration/images/kiosk.png new file mode 100644 index 0000000000..868ea31bb1 Binary files /dev/null and b/windows/configuration/images/kiosk.png differ diff --git a/windows/configuration/images/office-logo.png b/windows/configuration/images/office-logo.png new file mode 100644 index 0000000000..cd6d504301 Binary files /dev/null and b/windows/configuration/images/office-logo.png differ diff --git a/windows/configuration/images/set-assignedaccess.png b/windows/configuration/images/set-assignedaccess.png new file mode 100644 index 0000000000..c2899361eb Binary files /dev/null and b/windows/configuration/images/set-assignedaccess.png differ diff --git a/windows/configuration/images/user.PNG b/windows/configuration/images/user.PNG new file mode 100644 index 0000000000..d1386d4a0d Binary files /dev/null and b/windows/configuration/images/user.PNG differ diff --git a/windows/configuration/images/windows.png b/windows/configuration/images/windows.png new file mode 100644 index 0000000000..e3889eff6a Binary files /dev/null and b/windows/configuration/images/windows.png differ diff --git a/windows/configuration/index.md b/windows/configuration/index.md index d8cfdf2e49..11ec530a2c 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -8,7 +8,9 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jdeckerms -ms.date: 01/15/2018 +ms.author: jdecker +ms.topic: article +ms.date: 05/11/2018 --- # Configure Windows 10 @@ -19,17 +21,9 @@ Enterprises often need to apply custom configurations to devices for their users | Topic | Description | | --- | --- | -| [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. | -|[Diagnostic Data Viewer overview](diagnostic-data-viewer-overview.md) |Learn about the categories of diagnostic data your device is sending to Microsoft, along with how it's being used.| -| [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1709. | -| [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)| Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703.| -| [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.| -| [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1709. | -| [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1703. | -|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|Learn about Windows 10 and the upcoming GDPR-compliance requirements.| -| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | -| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. | +| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | +| [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. | | [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | | [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. | | [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. | diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md new file mode 100644 index 0000000000..8260c569cf --- /dev/null +++ b/windows/configuration/kiosk-additional-reference.md @@ -0,0 +1,37 @@ +--- +title: More kiosk methods and reference information (Windows 10) +description: Find more information for configuring, validating, and troubleshooting kiosk configuration. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# More kiosk methods and reference information + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + +## In this section + +Topic | Description +--- | --- +[Validate your kiosk configuration](kiosk-validate.md) | This topic explain what to expect on a multi-app kiosk. +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. +[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. +[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. +[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. +[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. +[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. + + + + diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md new file mode 100644 index 0000000000..d2c46dcb4c --- /dev/null +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -0,0 +1,86 @@ +--- +title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10) +description: Environments that use Windows Management Instrumentation (WMI)can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Use MDM Bridge WMI Provider to create a Windows 10 kiosk + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +Environments that use [Windows Management Instrumentation (WMI)](https://msdn.microsoft.com/library/aa394582.aspx) can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. + +Here’s an example to set AssignedAccess configuration: + +1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). +2. Run `psexec.exe -i -s cmd.exe`. +3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. +4. Execute the following script: + +```ps +$nameSpaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.Configuration = @" +<?xml version="1.0" encoding="utf-8" ?> +<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> + <Profiles> + <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> + <AllAppsList> + <AllowedApps> + <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + <App DesktopAppPath="%windir%\system32\mspaint.exe" /> + <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> + </AllowedApps> + </AllAppsList> + <StartLayout> + <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> + <LayoutOptions StartTileGroupCellWidth="6" /> + <DefaultLayoutOverride> + <StartLayoutCollection> + <defaultlayout:StartLayout GroupCellWidth="6"> + <start:Group Name="Group1"> + <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + </start:Group> + <start:Group Name="Group2"> + <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> + <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> + </start:Group> + </defaultlayout:StartLayout> + </StartLayoutCollection> + </DefaultLayoutOverride> + </LayoutModificationTemplate> + ]]> + </StartLayout> + <Taskbar ShowTaskbar="true"/> + </Profile> + </Profiles> + <Configs> + <Config> + <Account>MultiAppKioskUser</Account> + <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> + </Config> + </Configs> +</AssignedAccessConfiguration> +"@ + +Set-CimInstance -CimInstance $obj +``` diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md new file mode 100644 index 0000000000..a142517a28 --- /dev/null +++ b/windows/configuration/kiosk-methods.md @@ -0,0 +1,77 @@ +--- +title: Configure kiosks and digital signs on Windows desktop editions (Windows 10) +description: Learn about the methods for configuring kiosks. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: jdeckerms +ms.date: 07/30/2018 +--- + +# Configure kiosks and digital signs on Windows desktop editions + +Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use: + +| | | +--- | --- + | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

                  When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

                  A single-app kiosk is ideal for public use.

                  (Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + | **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.

                  A multi-app kiosk is appropriate for devices that are shared by multiple people.

                  When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) + +Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. + +There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. + +| | | +--- | --- +![icon that represents apps](images/office-logo.png) | **Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) +![icon that represents a kiosk](images/kiosk.png) | **Which type of kiosk do you need?** If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). +![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. +![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + + + +## Methods for a single-app kiosk running a UWP app + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user +[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a single-app kiosk running a Windows desktop application + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD +[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a multi-app kiosk + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD +[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD + +## Summary of kiosk configuration methods + +Method | App type | Account type | Single-app kiosk | Multi-app kiosk +--- | --- | --- | :---: | :---: +[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X | +[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X | +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X +Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X +[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X + + +>[!NOTE] +>For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. + diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md new file mode 100644 index 0000000000..18b9247b19 --- /dev/null +++ b/windows/configuration/kiosk-policies.md @@ -0,0 +1,82 @@ +--- +title: Policies enforced on kiosk devices (Windows 10) +description: Learn about the policies enforced on a device when you configure it as a kiosk. +ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 +keywords: ["lockdown", "app restrictions", "applocker"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: edu, security +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +ms.author: jdecker +--- + +# Policies enforced on kiosk devices + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +It is not recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. + +When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. + + +## Group Policy + +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. + +| Setting | Value | +| --- | --- | +Remove access to the context menus for the task bar | Enabled +Clear history of recently opened documents on exit | Enabled +Prevent users from customizing their Start Screen | Enabled +Prevent users from uninstalling applications from Start | Enabled +Remove All Programs list from the Start menu | Enabled +Remove Run menu from Start Menu | Enabled +Disable showing balloon notifications as toast | Enabled +Do not allow pinning items in Jump Lists | Enabled +Do not allow pinning programs to the Taskbar | Enabled +Do not display or track items in Jump Lists from remote locations | Enabled +Remove Notifications and Action Center | Enabled +Lock all taskbar settings | Enabled +Lock the Taskbar | Enabled +Prevent users from adding or removing toolbars | Enabled +Prevent users from resizing the taskbar | Enabled +Remove frequent programs list from the Start Menu | Enabled +Remove Pinned programs from the taskbar | Enabled +Remove the Security and Maintenance icon | Enabled +Turn off all balloon notifications | Enabled +Turn off feature advertisement balloon notifications | Enabled +Turn off toast notifications | Enabled +Remove Task Manager | Enabled +Remove Change Password option in Security Options UI | Enabled +Remove Sign Out option in Security Options UI | Enabled +Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Prevent access to drives from My Computer | Enabled - Restrict all drivers + +>[!NOTE] +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. + + + +## MDM policy + + +Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). + +Setting | Value | System-wide + --- | --- | --- +[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes +[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +Start/HidePeopleBar | 1 - True (hide) | No +[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes +[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes +[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No +[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes + diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md new file mode 100644 index 0000000000..1a38681d7c --- /dev/null +++ b/windows/configuration/kiosk-prepare.md @@ -0,0 +1,81 @@ +--- +title: Prepare a device for kiosk configuration (Windows 10) +description: Some tips for device settings on kiosks. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Prepare a device for kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +>[!WARNING] +>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. +> +>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. + + +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: + +Recommendation | How to +--- | --- +Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

                  `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

                  [Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

                  You must restart the device after changing the registry. +Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. +Hide **Ease of access** feature on the sign-in screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. +Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** +Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. +Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. +Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

                  **NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + +In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. + +>[!TIP] +>If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. + + +**How to edit the registry to have an account sign in automatically** + +1. Open Registry Editor (regedit.exe). + + >[!NOTE]   + >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). +   + +2. Go to + + **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** + +3. Set the values for the following keys. + + - *AutoAdminLogon*: set value as **1**. + + - *DefaultUserName*: set value as the account that you want signed in. + + - *DefaultPassword*: set value as the password for the account. + + > [!NOTE] + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + + - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. + +4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. + +>[!TIP] +>You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). + + + + + + + diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md deleted file mode 100644 index e8eb951b8c..0000000000 --- a/windows/configuration/kiosk-shared-pc.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Configure kiosk and shared devices running Windows desktop editions (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: jdeckerms -ms.date: 08/08/2017 ---- - -# Configure kiosk and shared devices running Windows desktop editions - -Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app). - -## In this section - -| Topic | Description | -| --- | --- | -| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | -| [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. | -| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. | -| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. | \ No newline at end of file diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md new file mode 100644 index 0000000000..30bb50f7de --- /dev/null +++ b/windows/configuration/kiosk-shelllauncher.md @@ -0,0 +1,201 @@ +--- +title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Use Shell Launcher to create a Windows 10 kiosk + + +**Applies to** +>App type: Windows desktop application +> +>OS edition: Windows 10 Ent, Edu +> +>Account type: Local standard user or administrator, Active Directory, Azure AD + + +Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. + +>[!NOTE] +>You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard). + +>[!WARNING] +>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. +>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. + +### Requirements + +- A domain or local user account. + +- A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. + +[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) + + +### Configure Shell Launcher + +To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. + +**To turn on Shell Launcher in Windows features** + +1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. + +2. Expand **Device Lockdown**. + +2. Select **Shell Launcher** and **OK**. + +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. + +**To turn on Shell Launcher using DISM** + +1. Open a command prompt as an administrator. +2. Enter the following command. + + ``` + Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher + ``` + +**To set your custom shell** + +Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. + +``` +# Check if shell launcher license is enabled +function Check-ShellLauncherLicenseEnabled +{ + [string]$source = @" +using System; +using System.Runtime.InteropServices; + +static class CheckShellLauncherLicense +{ + const int S_OK = 0; + + public static bool IsShellLauncherLicenseEnabled() + { + int enabled = 0; + + if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { + enabled = 0; + } + + return (enabled != 0); + } + + static class NativeMethods + { + [DllImport("Slc.dll")] + internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); + } + +} +"@ + + $type = Add-Type -TypeDefinition $source -PassThru + + return $type[0]::IsShellLauncherLicenseEnabled() +} + +[bool]$result = $false + +$result = Check-ShellLauncherLicenseEnabled +"`nShell Launcher license enabled is set to " + $result +if (-not($result)) +{ + "`nThis device doesn't have required license to use Shell Launcher" + exit +} + +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods. +try { + $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" + } catch [Exception] { + write-host $_.Exception.Message; + write-host "Make sure Shell Launcher feature is enabled" + exit + } + + +# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. + +$Admins_SID = "S-1-5-32-544" + +# Create a function to retrieve the SID for a user account on a machine. + +function Get-UsernameSID($AccountName) { + + $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + + return $NTUserSID.Value + +} + +# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. + +$Cashier_SID = Get-UsernameSID("Cashier") + +# Define actions to take when the shell program exits. + +$restart_shell = 0 +$restart_device = 1 +$shutdown_device = 2 + +# Examples. You can change these examples to use the program that you want to use as the shell. + +# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. + +$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) + +# Display the default shell to verify that it was added correctly. + +$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() + +"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction + +# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. + +$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) + +# Set Explorer as the shell for administrators. + +$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") + +# View all the custom shells defined. + +"`nCurrent settings for custom shells:" +Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction + +# Enable Shell Launcher + +$ShellLauncherClass.SetEnabled($TRUE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled + +# Remove the new custom shells. + +$ShellLauncherClass.RemoveCustomShell($Admins_SID) + +$ShellLauncherClass.RemoveCustomShell($Cashier_SID) + +# Disable Shell Launcher + +$ShellLauncherClass.SetEnabled($FALSE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled +``` diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md new file mode 100644 index 0000000000..dc55bd5004 --- /dev/null +++ b/windows/configuration/kiosk-single-app.md @@ -0,0 +1,244 @@ +--- +title: Set up a single-app kiosk (Windows 10) +description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Set up a single-app kiosk + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +| | | +--- | --- +A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

                  When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) + +You have several options for configuring your single-app kiosk. + +Method | Description +--- | --- +[Assigned access in Settings](#local) | The **Assigned Access** option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

                  This method is supported on Windows 10 Pro, Enterprise, and Education. +[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

                  This method is supported on Windows 10 Pro, Enterprise, and Education. +[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

                  This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. +[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.

                  This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. + + +>[!TIP] +>You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). + + + + +## Set up a kiosk in local Settings + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +You can use **Settings** to quickly configure one or a few devices as a kiosk. When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) + +![The Set up assigned access page in Settings](images/kiosk-settings.png) + +**To set up assigned access in PC settings** + +1. Go to **Start** > **Settings** > **Accounts** > **Other people**. + +2. Choose **Set up assigned access**. + +3. Choose an account. + +4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). + +5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. + +To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. + +When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. + +- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. + +- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. + +![Screenshot of automatic sign-in setting](images/auto-signin.png) + + + + + + +## Set up a kiosk using Windows PowerShell + + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png) + +You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. + +Before you run the cmdlet: + +1. Log in as administrator. +2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access. +3. Log in as the Assigned Access user account. +4. Install the Universal Windows app that follows the assigned access/above the lock guidelines. +5. Log out as the Assigned Access user account. +6. Log in as administrator. + +To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. + +**Configure assigned access by AppUserModelID and user name** + +``` +Set-AssignedAccess -AppUserModelId -UserName +``` +**Configure assigned access by AppUserModelID and user SID** + +``` +Set-AssignedAccess -AppUserModelId -UserSID +``` +**Configure assigned access by app name and user name** + +``` +Set-AssignedAccess -AppName -UserName +``` +**Configure assigned access by app name and user SID** + +``` +Set-AssignedAccess -AppName -UserSID +``` + +> [!NOTE] +> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. + +[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). + +[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). + +[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). + +To remove assigned access, using PowerShell, run the following cmdlet. + +``` +Clear-AssignedAccess +``` + + + +## Set up a kiosk using the kiosk wizard in Windows Configuration Designer + +>App type: UWP or Windows desktop application +> +>OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types +> +>Account type: Local standard user, Active Directory + +![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png) + + +>[!IMPORTANT] +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). + +When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. + + +[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. + + + + + + + + + + + + +
                  ![step one](images/one.png)![set up device](images/set-up-device.png)

                  Enable device setup if you want to configure settings on this page.

                  **If enabled:**

                  Enter a name for the device.

                  (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

                  Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

                  You can also select to remove pre-installed software from the device.                   		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
                  ![step two](images/two.png) ![set up network](images/set-up-network.png)

                  Enable network setup if you want to configure settings on this page.

                  **If enabled:**

                  Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.                  		![Enter network SSID and type](images/set-up-network-details.png)
                  ![step three](images/three.png) ![account management](images/account-management.png)

                  Enable account management if you want to configure settings on this page.

                  **If enabled:**

                  You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

                  To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

                  Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

                  **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

                  To create a local administrator account, select that option and enter a user name and password.

                  **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.                   		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
                  ![step four](images/four.png) ![add applications](images/add-applications.png)

                  You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

                  **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.                   		![add an application](images/add-applications-details.png)
                  ![step five](images/five.png) ![add certificates](images/add-certificates.png)

                  To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.                  		![add a certificate](images/add-certificates-details.png)
                  ![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

                  You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

                  If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

                  In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.                  		![Configure kiosk account and app](images/kiosk-account-details.png)
                  ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

                  On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.                  		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
                  ![finish](images/finish.png)

                  You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.                  		![Protect your package](images/finish-details.png)
                  + + +>[!NOTE] +>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** + +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + + + + +[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) + + + + + +  + + + +## Set up a kiosk or digital sign using Microsoft Intune or other MDM service + +>App type: UWP +> +>OS edition: Windows 10 Pro (version 1709), Ent, Edu +> +>Account type: Local standard user, Azure AD + +![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png) + +Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. + +>[!TIP] +>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). + +The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. + +**To configure kiosk in Microsoft Intune** + +2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. +3. Select **Device configuration**. +4. Select **Profiles**. +5. Select **Create profile**. +6. Enter a friendly name for the profile. +7. Select **Windows 10 and later** for the platform. +8. Select **Device restrictions** for the profile type. +9. Select **Kiosk**. +10. In **Kiosk Mode**, select **Single app kiosk**. +1. Enter the user account (Azure AD or a local standard user account). +11. Enter the Application User Model ID for an installed app. +14. Select **OK**, and then select **Create**. +18. Assign the profile to a device group to configure the devices in that group as kiosks. + + + +## Sign out of assigned access + +To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. + +If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: + +**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** + +To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. + +  + + + diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md new file mode 100644 index 0000000000..9281f546da --- /dev/null +++ b/windows/configuration/kiosk-validate.md @@ -0,0 +1,94 @@ +--- +title: Validate kiosk configuration (Windows 10) +description: This topic explains what to expect on a multi-app kiosk. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Validate kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. + +Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. + +To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. + +>[!NOTE] +>The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. + +The following sections explain what to expect on a multi-app kiosk. + +### App launching and switching experience + +In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. + +The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. + +### Start changes + +When the assigned access user signs in, you should see a restricted Start experience: +- Start gets launched in full screen and prevents the end user from accessing the desktop. +- Start shows the layout aligned with what you defined in the multi-app configuration XML. +- Start prevents the end user from changing the tile layout. + - The user cannot resize, reposition, and unpin the tiles. + - The user cannot pin additional tiles on the start. +- Start hides **All Apps** list. +- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). +- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) +- Start hides **Change account settings** option under **User** button. + +### Taskbar changes + +If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: +- Disables context menu of Start button (Quick Link) +- Disables context menu of taskbar +- Prevents the end user from changing the taskbar +- Disables Cortana and Search Windows +- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace +- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings + +### Blocked hotkeys + +The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. + +| Hotkey | Action | +| --- | --- | +| Windows logo key + A | Open Action center | +| Windows logo key + Shift + C | Open Cortana in listening mode | +| Windows logo key + D | Display and hide the desktop | +| Windows logo key + Alt + D | Display and hide the date and time on the desktop | +| Windows logo key + E | Open File Explorer | +| Windows logo key + F | Open Feedback Hub | +| Windows logo key + G | Open Game bar when a game is open | +| Windows logo key + I | Open Settings | +| Windows logo key + J | Set focus to a Windows tip when one is available. | +| Windows logo key + O | Lock device orientation | +| Windows logo key + Q | Open search | +| Windows logo key + R | Open the Run dialog box | +| Windows logo key + S | Open search | +| Windows logo key + X | Open the Quick Link menu | +| Windows logo key + comma (,) | Temporarily peek at the desktop | +| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | + + + +### Locked-down Ctrl+Alt+Del screen + +The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. + +### Auto-trigger touch keyboard + +In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. + + diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md new file mode 100644 index 0000000000..9be99277a6 --- /dev/null +++ b/windows/configuration/kiosk-xml.md @@ -0,0 +1,305 @@ +--- +title: Assigned Access configuration kiosk XML reference (Windows 10) +description: XML and XSD for kiosk device configuration. +ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 +keywords: ["lockdown", "app restrictions", "applocker"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: edu, security +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +ms.author: jdecker +ms.topic: article +--- + +# Assigned Access configuration (kiosk) XML reference + + +**Applies to** + +- Windows 10 + +## Full XML sample + +>[!NOTE] +>Updated for Windows 10, version 1803. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + domain\account + + + + AzureAD\john@contoso.onmicrosoft.com + + + + localaccount + + + + + + + + + + + + + + + + + + + + + +``` +## Kiosk only sample XML + +```xml + + + + + + + + + + singleappuser + + + + +``` + + +## XSD for AssignedAccess configuration XML + +>[!NOTE] +>Updated for Windows 10, version 1803. + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` \ No newline at end of file diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index 8615847512..876d2a663d 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -8,9 +8,10 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: edu, security author: jdeckerms -ms.localizationpriority: high -ms.date: 08/14/2017 +ms.localizationpriority: medium +ms.date: 07/30/2018 ms.author: jdecker +ms.topic: article --- # Use AppLocker to create a Windows 10 kiosk that runs multiple apps @@ -36,7 +37,7 @@ This topic describes how to lock down apps on a local device. You can also use A ## Install apps -First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account. +First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account. ## Use AppLocker to set rules for apps diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index ef5ecb4d6b..7793d23b83 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -1,5 +1,5 @@ --- -title: Create a Windows 10 kiosk that runs multiple apps (Windows 10) +title: Set up a multi-app kiosk (Windows 10) description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 keywords: ["lockdown", "app restrictions", "applocker"] @@ -8,33 +8,36 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: edu, security author: jdeckerms -ms.localizationpriority: high -ms.date: 02/08/2018 +ms.localizationpriority: medium +ms.date: 07/30/2018 ms.author: jdecker +ms.topic: article --- -# Create a Windows 10 kiosk that runs multiple apps +# Set up a multi-app kiosk **Applies to** - Windows 10 Pro, Enterprise, and Education -A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. -The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. +A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also: + +- Configure [a single-app kiosk profile](#profile) in your XML file. +- Assign [group accounts to a config profile](#config-for-group-accounts). +- Configure [an account to sign in automatically](#config-for-autologon-account). + +The benefit of a kiosk with desktop that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. >[!WARNING] ->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](#policies-set-by-multi-app-kiosk-configuration) are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. +>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). ## Configure a kiosk in Microsoft Intune -Watch how to use Intune to configure a multi-app kiosk. - ->[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false] 1. [Generate the Start layout for the kiosk device.](#startlayout) 2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. @@ -43,22 +46,23 @@ Watch how to use Intune to configure a multi-app kiosk. 5. Select **Create profile**. 6. Enter a friendly name for the profile. 7. Select **Windows 10 and later** for the platform. -8. Select **Device restrictions** for the profile type. -9. Select **Kiosk**. -10. In **Kiosk Mode**, select **Multi app kiosk**. -11. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu. +8. Select **Kiosk (Preview)** for the profile type. +9. Select **Kiosk - 1 setting available**. +10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu. 12. Enter a friendly name for the configuration. -13. Select an app type, either **Win32 App** for a classic desktop application or **UWP App** for a Universal Windows Platform app. - - For **Win32 App**, enter the fully qualified pathname of the executable, with respect to the device. - - For **UWP App**, enter the Application User Model ID for an installed app. +10. In **Kiosk Mode**, select **Multi app kiosk**. +13. Select an app type. + - For **Add Win32 app**, enter a friendly name for the app in **App Name**, and enter the path to the app executable in **Identifier**. + - For **Add managed apps**, select an app that you manage through Intune. + - For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app. 14. Select whether to enable the taskbar. 15. Browse to and select the Start layout XML file that you generated in step 1. 16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available. 17. Select **OK**. You can add additional configurations or finish. 18. Assign the profile to a device group to configure the devices in that group as kiosks. - - +>[!NOTE] +>Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription. ## Configure a kiosk using a provisioning package @@ -72,12 +76,12 @@ Watch how to use a provisioning package to configure a multi-app kiosk. >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] -If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge). +If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). ### Prerequisites -- Windows Configuration Designer (Windows 10, version 1709) -- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 +- Windows Configuration Designer (Windows 10, version 1709 or later) +- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later >[!NOTE] >For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. @@ -121,7 +125,12 @@ You can start your file by pasting the following XML (or any other examples in t #### Profile -A profile section in the XML has the following entries: +There are two types of profiles that you can specify in the XML: + +- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. +- **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode. + +A lockdown profile section in the XML has the following entries: - [**Id**](#id) @@ -131,6 +140,13 @@ A profile section in the XML has the following entries: - [**Taskbar**](#taskbar) +A kiosk profile in the XML has the following entries: + +- [**Id**](#id) + +- [**KioskModeApp**](#kioskmodeapp) + + ##### Id @@ -144,7 +160,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. @@ -250,15 +266,55 @@ The following example hides the taskbar: >[!NOTE] >This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. +##### KioskModeApp + +**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML. + +```xml + +``` + +>[!IMPORTANT] +>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Direcotry account could potentially compromise confidential information. + + #### Configs Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. -The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in. +The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in. +You can assign: +- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only) +- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts) +- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only) + +>[!NOTE] +>Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request. + +##### Config for AutoLogon Account + +When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. + +On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) + +```xml + + + + + + +``` + +>[!IMPORTANT] +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). + +##### Config for individual accounts + +Individual accounts are specified using ``. -The account can be local, domain, or Azure Active Directory (Azure AD). Groups are not supported. - Local account can be entered as `machinename\account` or `.\account` or just `account`. - Domain account should be entered as `domain\account`. - Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider it’s a fixed domain name), then follow with the Azure AD email address, e.g. **AzureAD\someone@contoso.onmicrosoft.com**. @@ -284,10 +340,43 @@ Before applying the multi-app configuration, make sure the specified user accoun +##### Config for group accounts + +Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience. + +- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. + + ```xml + + + + + ``` +- Domain group: Both security and distribution groups are supported. Specify the group type as **ActiveDirectoryGroup**. Use the domain name as the prefix in the name attribute. + + ```xml + + + + + ``` + +- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. + + ```xml + + + + + ``` + + >[!NOTE] + >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. + ### Add XML file to provisioning package -Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](multi-app-kiosk-xml.md#xsd-for-assignedaccess-configuration-xml). +Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml). Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md) @@ -350,6 +439,8 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). +>[!TIP] +>In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](https://docs.microsoft.com/powershell/module/provisioning/Install-ProvisioningPackage?view=win10-ps) with `-LogsDirectoryPath` to get logs for the operation. #### During initial setup, from a USB drive @@ -387,10 +478,7 @@ Provisioning packages can be applied to a device during the first-run experience -### Validate provisioning -- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration. -- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. @@ -404,147 +492,9 @@ If your device is enrolled with a MDM server which supports applying the assigne The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. - -## Use MDM Bridge WMI Provider to configure assigned access - -Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. - -Here’s an example to set AssignedAccess configuration: - -1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). -2. Run `psexec.exe -i -s cmd.exe`. -3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. -4. Execute the following script: - -```ps -$nameSpaceName="root\cimv2\mdm\dmmap" -$className="MDM_AssignedAccess" -$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -$obj.Configuration = @" -<?xml version="1.0" encoding="utf-8" ?> -<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> - <Profiles> - <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> - <AllAppsList> - <AllowedApps> - <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - <App DesktopAppPath="%windir%\system32\mspaint.exe" /> - <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> - </AllowedApps> - </AllAppsList> - <StartLayout> - <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> - <LayoutOptions StartTileGroupCellWidth="6" /> - <DefaultLayoutOverride> - <StartLayoutCollection> - <defaultlayout:StartLayout GroupCellWidth="6"> - <start:Group Name="Group1"> - <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> - </start:Group> - </defaultlayout:StartLayout> - </StartLayoutCollection> - </DefaultLayoutOverride> - </LayoutModificationTemplate> - ]]> - </StartLayout> - <Taskbar ShowTaskbar="true"/> - </Profile> - </Profiles> - <Configs> - <Config> - <Account>MultiAppKioskUser</Account> - <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> - </Config> - </Configs> -</AssignedAccessConfiguration> -"@ - -Set-CimInstance -CimInstance $obj -``` - - -## Validate multi-app kiosk configuration - -Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. - ->[!NOTE] ->The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. - -The following sections explain what to expect on a multi-app kiosk. - -### App launching and switching experience - -In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. - -The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. - -### Start changes - -When the assigned access user signs in, you should see a restricted Start experience: -- Start gets launched in full screen and prevents the end user from accessing the desktop. -- Start shows the layout aligned with what you defined in the multi-app configuration XML. -- Start prevents the end user from changing the tile layout. - - The user cannot resize, reposition, and unpin the tiles. - - The user cannot pin additional tiles on the start. -- Start hides **All Apps** list. -- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). -- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) -- Start hides **Change account settings** option under **User** button. - -### Taskbar changes - -If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: -- Disables context menu of Start button (Quick Link) -- Disables context menu of taskbar -- Prevents the end user from changing the taskbar -- Disables Cortana and Search Windows -- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace -- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings - -### Blocked hotkeys - -The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. - -| Hotkey | Action | -| --- | --- | -| Windows logo key + A | Open Action center | -| Windows logo key + Shift + C | Open Cortana in listening mode | -| Windows logo key + D | Display and hide the desktop | -| Windows logo key + Alt + D | Display and hide the date and time on the desktop | -| Windows logo key + E | Open File Explorer | -| Windows logo key + F | Open Feedback Hub | -| Windows logo key + G | Open Game bar when a game is open | -| Windows logo key + I | Open Settings | -| Windows logo key + J | Set focus to a Windows tip when one is available. | -| Windows logo key + O | Lock device orientation | -| Windows logo key + Q | Open search | -| Windows logo key + R | Open the Run dialog box | -| Windows logo key + S | Open search | -| Windows logo key + X | Open the Quick Link menu | -| Windows logo key + comma (,) | Temporarily peek at the desktop | -| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | -### Locked-down Ctrl+Alt+Del screen - -The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. - -### Auto-trigger touch keyboard - -In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. @@ -602,7 +552,7 @@ Lock the Taskbar | Enabled Prevent users from adding or removing toolbars | Enabled Prevent users from resizing the taskbar | Enabled Remove frequent programs list from the Start Menu | Enabled -Remove Pinned programs from the taskbar | Enabled +Remove ‘Map Network Drive’ and ‘Disconnect Network Drive’ | Enabled Remove the Security and Maintenance icon | Enabled Turn off all balloon notifications | Enabled Turn off feature advertisement balloon notifications | Enabled @@ -626,9 +576,19 @@ Some of the MDM policies based on the [Policy configuration service provider (CS Setting | Value | System-wide --- | --- | --- [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes +[Start/AllowPinnedFolderDocuments](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderDownloads](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderFileExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderHomeGroup](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderMusic](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderPersonalFolder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderPictures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes [Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -Start/HidePeopleBar | 1 - True (hide) | No -[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes +[Start/AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No +[Start/HidePeopleBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) | 1 - True (hide) | No +[Start/HideChangeAccountSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes [WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes [Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No [WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes @@ -636,7 +596,7 @@ Start/HidePeopleBar | 1 - True (hide) | No ## Provision .lnk files using Windows Configuration Designer -First, create your desktop app's shortcut file by installing the app on a test device. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `.lnk` +First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `.lnk` Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install. @@ -647,6 +607,13 @@ copy .lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\ **DeviceContext**: -- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file -- Under **CommandLine**, enter cmd /c *FileName*.bat +- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file. + >[!IMPORTANT] + >Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk. + +- Under **CommandLine**, enter `cmd /c *FileName*.bat`. + +## Other methods + +Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). \ No newline at end of file diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index c52043f754..1628b1c866 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -8,7 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- @@ -50,10 +52,10 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

                  Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

                  -

                  [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

                  +

                  [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Windows desktop application on sign-on

                  [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)

                  Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

                  -

                  Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.

                  +

                  Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Windows desktop application.

                  [Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

                  diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 6d5acafa78..4f327eb125 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 09/20/2017 --- @@ -45,7 +47,7 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi | Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) | | Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) | -[Learn more about policy settings for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight) +[Learn more about policy settings for Windows Spotlight.](windows-spotlight.md) ## Related topics diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 9cb8223eed..068422a836 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: mobile author: eross-msft ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 05/02/2018 --- # Manage Wi-Fi Sense in your company @@ -18,7 +18,8 @@ ms.date: 07/27/2017 - Windows 10 - Windows 10 Mobile ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). +>[!IMPORTANT] +>Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details. Wi-Fi Sense learns about open Wi-Fi hotspots your Windows PC or Windows phone connects to by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When you’re in range of one of these Wi-Fi hotspots, you automatically get connected to it. diff --git a/windows/configuration/manage-windows-endpoints-version-1709.md b/windows/configuration/manage-windows-endpoints-version-1709.md deleted file mode 100644 index 1ce981a341..0000000000 --- a/windows/configuration/manage-windows-endpoints-version-1709.md +++ /dev/null @@ -1,761 +0,0 @@ ---- -title: Windows 10 connection endpoints -description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -author: brianlic-msft -ms.author: brianlic -ms.date: 11/21/2017 ---- -# Manage Windows 10 connection endpoints - -**Applies to** - -- Windows 10, version 1709 - -Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: - -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. - -This article lists different endpoints that are available on a clean installation of Windows 10 Enterprise, version 1709. -Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. - -We used the following methodology to derive these network endpoints: - -1. Set up Windows 10 Enterprise, version 1709 test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Apps - -The following endpoint is used to download updates to the Weather app Live Tile. -If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| explorer | HTTP | tile-service.weather.microsoft.com/en-US/livetile/preinstall?region=US&appid=C98EA5B0842DBB9405BBF071E1DA76512D21FE36&FORM=Threshold | - -The following endpoint is used for OneNote Live Tile. -To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | - -The following endpoints are used for Twitter updates. -To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | wildcard.twimg.com | -| svchost.exe | | oem.twimg.com/windows/tile.xml | - -The following endpoint is used for Facebook updates. -To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | star-mini.c10r.facebook.com | - -The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. -To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | - -The following endpoint is used for Candy Crush Saga updates. -To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | TLS v1.2 | candycrushsoda.king.com | - -The following endpoint is used for by the Microsoft Wallet app. -To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | - -The following endpoint is used by the Groove Music app for update HTTP handler status. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | - -## Cortana and Search - -The following endpoint is used to get images that are used for Microsoft Store suggestions. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui | HTTPS | store-images.s-microsoft.com/image/apps.32524.9007199266244048.fc51fce8-175a-4525-b569-14d91f7779c3.0a720951-38e4-4e81-9804-03f833ab1d2e?format=source | - -The following endpoint is used to update Cortana greetings, tips, and Live Tiles. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/client/config?cc=US&setlang=en-US | - -The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive/v2/spark?cc=US&setlang=en-US | - -The following endpoint is used by Cortana to report diagnostic and diagnostic data information. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| searchui
                  backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | - -## Certificates - -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1ba0e83cae791f0d | - -The following endpoints are used to download certificates that are publicly known to be fraudulent. -These settings are critical for both Windows security and the overall security of the Internet. -We do not recommend blocking this endpoint. -If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTP | ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?03376e5589b4a188 | - -## Device authentication - -The following endpoint is used to authenticate a device. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | login.live.com/ppsecure/deviceaddcredential.srf | - -## Device metadata - -The following endpoint is used to retrieve device metadata. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | dmd.metaservices.microsoft.com.akadns.net | - -## Diagnostic Data - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | - -The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | - -The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| wermgr | | watson.telemetry.microsoft.com/Telemetry.Request | -| |TLS v1.2 |modern.watson.data.microsoft.com.akadns.net| - -## Font streaming - -The following endpoints are used to download fonts on demand. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | fs.microsoft.com | -| | | fs.microsoft.com/fs/windows/config.json | - -## Licensing - -The following endpoint is used for online activation and some app licensing. -To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | - -## Location - -The following endpoint is used for location data. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | location-inference-westus.cloudapp.net | - -## Maps - -The following endpoint is used to check for updates to maps that have been downloaded for offline use. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *g.akamaiedge.net | - -## Microsoft account - -The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | login.msa.akadns6.net | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | - -## Microsoft Store - -The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.wns.windows.com | - -The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com/applications/revoked.json/ | - -The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1ARmA?ver=e6f4 | -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWbW71?ver=c090 | - -The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | -| | HTTP | pti.store.microsoft.com | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| - -## Network Connection Status Indicator (NCSI) - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | - -## Office - -The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | *.a-msedge.net | -| hxstr | | *.c-msedge.net | -| | | *.e-msedge.net | -| | | *.s-msedge.net | - -The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for this endpoint, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| hxstr | | *.c-msedge.net | - -The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). -You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. -If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | - -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| - -## OneDrive - -The following endpoint is a redirection service that’s used to automatically update URLs. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTP | g.live.com/1rewlive5skydrive/ODSUProduction | - - -The following endpoint is a redirection service that’s used to automatically update URLs. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | g.live.com/1rewlive5skydrive/OneDriveProduction?OneDriveUpdate=1303f1898483a527eab1d8f57af6 | - -The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| onedrive | HTTPS | oneclient.sfx.ms/PreSignInSettings/Prod/PreSignInSettingsConfig.json?OneDriveUpdate=3253474af747a19de2a72deb9a75 | - -## Settings - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| dmclient | HTTPS | settings.data.microsoft.com | - -The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | settings-win.data.microsoft.com | - -## Skype - -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | - - - -## Windows Defender - -The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | wdcp.microsoft.com | - -The following endpoints are used for Windows Defender definition updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | definitionupdates.microsoft.com | -|MpCmdRun.exe|HTTPS|go.microsoft.com| - -## Windows Insider Preview builds - -The following endpoint is used to retrieve Windows Insider Preview builds. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-previewbuilds), the device will not be notified about new Windows Insider Preview builds. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTPS | insiderppe.cloudapp.net/windows-app-web-link | - -## Windows Spotlight - -The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](windows-spotlight.md). - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| backgroundtaskhost | HTTPS | arc.msn.com | -| backgroundtaskhost | | g.msn.com.nsatc.net | -| |TLS v1.2| *.search.msn.com | -| | HTTPS | ris.api.iris.microsoft.com/v1/a/impression?CID=116000000000270658®ion=US&lang=EN-US&oem=&devFam=WINDOWS.DESKTOP&ossku=ENTERPRISE&cmdVer=10.0.15063.0&mo=&cap=&EID=&&PID=400051553&UIT=G&TargetID=700090861&AN=275357688&PG=PC000P0FR5.0000000G4I&REQASID=D17E3C737583496F8C4CE6553F7395C5&UNID=202914&ANID=&MUID=&ASID=a81b259b93e2425e801d0bb5a5ec2741&PERSID=&AUID=71FA96C64367722E210169966CE8D919&TIME=20170721T015831Z | -| | HTTPS | query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWaHxi | -| | HTTPS | query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWaML4 | - -## Windows Update - -The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | - -The following endpoints are used to download operating system patches and updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | au.download.windowsupdate.com | -| svchost | HTTP | *.windowsupdate.com | -| | HTTP | fg.download.windowsupdate.com.c.footprint.net | - -The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | cds.d2s7q6s2.hwcdn.net | - -The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | HTTP | *wac.phicdn.net | -| | | *wac.edgecastcdn.net | - -The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | - -The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | | emdl.ws.microsoft.com/emdl/c/doc/ph/prod1/msdownload/update/software/defu/2017/07/1024/am_base_82267ed19fb382d07106d5f64257fb815c664b31.exe.json | - -The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | fe2.update.microsoft.com/v6/ClientWebService/client.asmx | -| svchost | | fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx | -| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net (an alias for fe3.delivery.mp.microsoft.com) | -| svchost | HTTPS | sls.update.microsoft.com | - -The following endpoint is used for content regulation. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | - -The following endpoints are used to download content. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -| | | a122.dscd.akamai.net | -| | | a1621.g.akamai.net | - -## Microsoft forward link redirection service (FWLink) - -The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. - -If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. - -| Source process | Protocol | Destination | -|----------------|----------|------------| -|Various|HTTPS|go.microsoft.com| - -## Endpoints for other Windows editions - -In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other editions of Windows 10, version 1709. - -## Windows 10 Home - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2/ -HTTPS | Used for Windows Update downloads of apps and OS updates. | -| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTP | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/ -HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | -| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com.akadns.net | TLSv1.2/ -HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2/ -HTTPS | Enables connections to Windows Update. | -| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Pro - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.*.akamai.net | HTTP | Used to download content. | -| *.*.akamaiedge.net | HTTP/ -TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2/ -HTTPS | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/ -HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| fs.microsoft.com | HTTPS | Used to download fonts on demand | -| g.live.com | HTTP | Used by a redirection service to automatically update URLs. | -| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTP | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspw65.akamai.net | HTTP | Used to download content. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamai.net | HTTP | Used to download content. | -| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.msn.com.nsatc.net | HTTP/ -TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com/* | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. | -| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Related links - -- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file diff --git a/windows/configuration/mobile-devices/configure-mobile.md b/windows/configuration/mobile-devices/configure-mobile.md index 774af0e150..50f896bffe 100644 --- a/windows/configuration/mobile-devices/configure-mobile.md +++ b/windows/configuration/mobile-devices/configure-mobile.md @@ -6,8 +6,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jdeckerms +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md index aa69f4575a..d5e9143721 100644 --- a/windows/configuration/mobile-devices/lockdown-xml.md +++ b/windows/configuration/mobile-devices/lockdown-xml.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security, mobile author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md index 04669fdebf..229a7ea1c4 100644 --- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md +++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md @@ -7,6 +7,8 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jdeckerms +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md index 418ff01029..5ad6371d4f 100644 --- a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md +++ b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md @@ -8,7 +8,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md index 360fd98464..141db07726 100644 --- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md +++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md @@ -6,8 +6,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jdeckerms +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md index fc11afb5d6..0c9dc82c2d 100644 --- a/windows/configuration/mobile-devices/provisioning-nfc.md +++ b/windows/configuration/mobile-devices/provisioning-nfc.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- @@ -16,6 +18,7 @@ ms.date: 07/27/2017 - Windows 10 Mobile + Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package. The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. diff --git a/windows/configuration/mobile-devices/provisioning-package-splitter.md b/windows/configuration/mobile-devices/provisioning-package-splitter.md index 9e119420b3..1ba20bd10c 100644 --- a/windows/configuration/mobile-devices/provisioning-package-splitter.md +++ b/windows/configuration/mobile-devices/provisioning-package-splitter.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index c20161c09b..cf13bbf926 100644 --- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -8,7 +8,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md index 58dfbc60e2..ca84677bf1 100644 --- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md +++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md @@ -8,7 +8,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md index 064ebdc7f6..c8d736b63d 100644 --- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md +++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md @@ -6,7 +6,9 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index 2d5a8db9fb..6857cf8aac 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -9,8 +9,9 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 09/27/2017 +ms.date: 07/30/2018 ms.author: jdecker +ms.topic: article --- # Troubleshoot multi-app kiosk @@ -30,7 +31,7 @@ For example: **Troubleshooting steps** -1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning). +1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). 2. Verify that the account (config) is mapped to a profile in the configuration XML file. 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. diff --git a/windows/configuration/multi-app-kiosk-xml.md b/windows/configuration/multi-app-kiosk-xml.md deleted file mode 100644 index 8babcdefec..0000000000 --- a/windows/configuration/multi-app-kiosk-xml.md +++ /dev/null @@ -1,175 +0,0 @@ ---- -title: Multi-app kiosk XML reference (Windows 10) -description: XML and XSD for multi-app kiosk device configuration. -ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 -keywords: ["lockdown", "app restrictions", "applocker"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: edu, security -author: jdeckerms -ms.localizationpriority: medium -ms.date: 08/14/2017 -ms.author: jdecker ---- - -# Multi-app kiosk XML reference - - -**Applies to** - -- Windows 10 - -## Full XML sample - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - MultiAppKioskUser - - - - -``` - -## XSD for AssignedAccess configuration XML - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` \ No newline at end of file diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index 96078d1791..b58d853122 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -6,7 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 04/13/2018 --- diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 6478c68d2e..cb66bfc3e5 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -6,6 +6,8 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.topic: article ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 778796176d..9979020ba7 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -7,7 +7,9 @@ ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- @@ -80,7 +82,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L ![step one](../images/one.png)![set up device](../images/set-up-device.png)

                  Enter a name for the device.

                  (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

                  Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)

                  You can also select to remove pre-installed software from the device. ![device name, upgrade to enterprise, shared use, remove pre-installed software](../images/set-up-device-details-desktop.png) ![step two](../images/two.png) ![set up network](../images/set-up-network.png)

                  Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.![Enter network SSID and type](../images/set-up-network-details-desktop.png) ![step three](../images/three.png) ![account management](../images/account-management.png)

                  Enable account management if you want to configure settings on this page.

                  You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

                  To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

                  Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

                  To create a local administrator account, select that option and enter a user name and password.

                  **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png) -![step four](../images/four.png) ![add applications](../images/add-applications.png)

                  You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) +![step four](../images/four.png) ![add applications](../images/add-applications.png)

                  You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) ![step five](../images/five.png) ![add certificates](../images/add-certificates.png)

                  To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](../images/add-certificates-details.png) ![finish](../images/finish.png)

                  You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.![Protect your package](../images/finish-details.png) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index 56fddf9b72..321a76c0cd 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -6,7 +6,9 @@ ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index 4c5d461287..9f7712c5d3 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -6,8 +6,9 @@ ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- @@ -19,7 +20,7 @@ ms.date: 09/06/2017 - Windows 10 -In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. +In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). @@ -34,7 +35,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate - **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app -## Settings for Classic Windows apps +## Settings for Windows desktop applications ### MSI installer @@ -60,7 +61,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate -## Add a Classic Windows app using advanced editor in Windows Configuration Designer +## Add a Windows desktop application using advanced editor in Windows Configuration Designer 1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 0cabd2b0e7..5fa39fd636 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 08/22/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index 8e96311282..f815fe5059 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index fe4f0b035a..c0cbd3ed3f 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- @@ -41,7 +43,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg) - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - - [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) + - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index 02b9e7e88b..a94b851110 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- @@ -41,7 +43,7 @@ When multiple provisioning packages are available for device provisioning, the c 1. Microsoft -2. Silicon Vender +2. Silicon Vendor 3. OEM diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index b595b81972..db1036262f 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 10/16/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 209590fdc6..216d35803f 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -5,7 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.topic: article +ms.localizationpriority: medium ms.date: 11/08/2017 ms.author: jdecker --- diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index c61c9169d8..2a331f5839 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -6,7 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- @@ -70,20 +72,22 @@ Provisioning packages can be: The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages. - - - - - - - - -
                  **Step****Description****Desktop
                  wizard**                  		**Mobile
                  wizard**                  		**Kiosk
                  wizard**
                  Set up deviceAssign device name,
                  enter product key to upgrade Windows,
                  configure shared used,
                  remove pre-installed software                  		![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                  (Only device name and upgrade key)                  		![yes](../images/checkmark.png)
                  Set up networkConnect to a Wi-Fi network![yes](../images/checkmark.png)![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                  Account managementEnroll device in Active Directory,
                  enroll device in Azure Active Directory,
                  or create a local administrator account                  		![yes](../images/checkmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)
                  Bulk Enrollment in Azure ADEnroll device in Azure Active Directory

                  Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).                  		![no](../images/crossmark.png)![yes](../images/checkmark.png)![no](../images/crossmark.png)
                  Add applicationsInstall applications using the provisioning package.![yes](../images/checkmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)
                  Add certificatesInclude a certificate file in the provisioning package.![yes](../images/checkmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)
                  Configure kiosk account and appCreate local account to run the kiosk mode app,
                  specify the app to run in kiosk mode                  		![no](../images/crossmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)
                  Configure kiosk common settingsSet tablet mode,
                  configure welcome and shutdown screens,
                  turn off timeout settings                  		![no](../images/crossmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)
                  + + + + + + + + + + +
                  **Step****Description****Desktop wizard****Mobile wizard****Kiosk wizard****HoloLens wizard**
                  Set up deviceAssign device name,
                  enter product key to upgrade Windows,
                  configure shared used,
                  remove pre-installed software                  		![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                  (Only device name and upgrade key)                  		![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                  Set up networkConnect to a Wi-Fi network![yes](../images/checkmark.png)![yes](../images/checkmark.png)![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                  Account managementEnroll device in Active Directory,
                  enroll device in Azure Active Directory,
                  or create a local administrator account                  		![yes](../images/checkmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                  Bulk Enrollment in Azure ADEnroll device in Azure Active Directory

                  Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).                  		![no](../images/crossmark.png)![yes](../images/checkmark.png)![no](../images/crossmark.png)![no](../images/crossmark.png)
                  Add applicationsInstall applications using the provisioning package.![yes](../images/checkmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![no](../images/crossmark.png)
                  Add certificatesInclude a certificate file in the provisioning package.![yes](../images/checkmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                  Configure kiosk account and appCreate local account to run the kiosk mode app,
                  specify the app to run in kiosk mode                  		![no](../images/crossmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![no](../images/crossmark.png)
                  Configure kiosk common settingsSet tablet mode,
                  configure welcome and shutdown screens,
                  turn off timeout settings                  		![no](../images/crossmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![no](../images/crossmark.png)
                  Developer SetupEnable Developer Mode.![no](../images/crossmark.png)![no](../images/crossmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)
                  - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) - +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) +- [Instructions for the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#wizard) >[!NOTE] diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index e372caf606..0398edbb15 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index 2e6a4b5c10..6b2041b522 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 06879c3b1b..aa1bf1b80d 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -5,7 +5,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 196d95eb81..1acc77b4c2 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -6,7 +6,9 @@ ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.localizationpriority: high +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium ms.date: 07/27/2017 --- @@ -111,20 +113,14 @@ Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass ### Create a provisioning package for shared use -1. [install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md) +1. [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md) 1. Open Windows Configuration Designer. - 2. On the **Start page**, select **Advanced provisioning**. - 3. Enter a name and (optionally) a description for the project, and click **Next**. - 4. Select **All Windows desktop editions**, and click **Next**. - 5. Click **Finish**. Your project opens in Windows Configuration Designer. - 6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization) - 7. On the **File** menu, select **Save.** 8. On the **Export** menu, select **Provisioning package**. 9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md new file mode 100644 index 0000000000..d5ea73a4a8 --- /dev/null +++ b/windows/configuration/setup-digital-signage.md @@ -0,0 +1,91 @@ +--- +title: Set up digital signs on Windows 10 (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 08/03/2018 +--- + +# Set up digital signs on Windows 10 + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. + +For digital signage, simply select a digital sign player as your kiosk app. You can also use the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. + +>[!TIP] +>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). + +Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803. + +>[!NOTE] +>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business). + + +This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience). + +1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) +2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) +2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md) +3. Open Windows Configuration Designer and select **Provision kiosk devices**. +4. Enter a friendly name for the project, and select **Finish**. +5. On **Set up device**, select **Disabled**, and select **Next**. +6. On **Set up network**, enable network setup. + - Toggle **On** wireless network connectivity. + - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. +7. On **Account management**, select **Disabled**, and select **Next**. +8. On **Add applications**, select **Add an application**. + - For **Application name**, enter `Kiosk Browser`. + - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed. + - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business. + - The **Package family name** is populated automatically. + - Select **Next**. +9. On **Add certificates**, select **Next**. +10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage. + - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. + - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. + - For **App type**, select **Universal Windows App**. + - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`. +11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. +12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. + - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. + - In **BlockedUrl**, enter `*`. + - In **DefaultUrl**, enter `https://www.contoso.com/menu`. + - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**. + + >[!TIP] + >For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). + +13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box. +14. On the **Export** menu, select **Provisioning package**. +15. Change the **Owner** to **IT Admin**, and select **Next**. +16. On **Select security details for the provisioning package**, select **Next**. +17. On **Select where to save the provisioning package**, select **Next**. +18. On **Build the provisioning package**, select **Build**. +19. On the **All done!** screen, click the **Output location**. +20. Copy the .ppkg file to a USB drive. +21. Attach the USB drive to the device that you want to use for your digital sign. +22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive. + + + + + + + + + + + + + + \ No newline at end of file diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md deleted file mode 100644 index f8b3502b6d..0000000000 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ /dev/null @@ -1,475 +0,0 @@ ---- -title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10) -description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerms -ms.localizationpriority: high -ms.date: 03/30/2018 ---- - -# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education - - -**Applies to** - -- Windows 10 Pro, Enterprise, and Education - - - -Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps.](lock-down-windows-10-to-specific-apps.md).) - - - -## Choose a method for configuring your kiosks and digitals signs - -**Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart. - ->[!TIP] ->For **digital signage**, simply select a digital sign player as your kiosk app. - -**Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. - ->[!WARNING] ->For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. -> ->Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. - -**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. - -### Methods for kiosks and digital signs running a UWP app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user -[PowerShell](#powershell) | Pro, Ent, Edu | Local standard user -[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user -[Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD - -### Methods for kiosks and digital signs running a Classic Windows app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Provisioning](#wizard) | Ent, Edu | Local standard user -[ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD - - - - - -### Other settings to lock down - -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: - -Recommendation | How to ---- | --- -Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

                  `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

                  [Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

                  You must restart the device after changing the registry. -Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. -Hide **Ease of access** feature on the logon screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. -Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

                  **NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. - -In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon. - - -**How to edit the registry to have an account automatically logged on** - -1. Open Registry Editor (regedit.exe). - - >[!NOTE]   - >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). -   - -2. Go to - - **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** - -3. Set the values for the following keys. - - - *AutoAdminLogon*: set value as **1**. - - - *DefaultUserName*: set value as the account that you want logged in. - - - *DefaultPassword*: set value as the password for the account. - - > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. - -4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically. - ->[!TIP] ->You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). - - - -## Set up a kiosk or digital sign in local Settings - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) - -When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. - -If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. - -If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. - -![Screenshot of automatic sign-in setting](images/auto-signin.png) - -**To set up assigned access in PC settings** - -1. Go to **Start** > **Settings** > **Accounts** > **Other people**. - -2. Choose **Set up assigned access**. - -3. Choose an account. - -4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). - -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. - -To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - ->[!NOTE]   ->Single-app kiosk configuration using assigned access does not work on a device that is connected to more than one monitor. - - - -## Set up a kiosk or digital sign using Windows PowerShell - - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. - -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. - -``` -Set-AssignedAccess -AppUserModelId -UserName -``` - -``` -Set-AssignedAccess -AppUserModelId -UserSID -``` - -``` -Set-AssignedAccess -AppName -UserName -``` - -``` -Set-AssignedAccess -AppName -UserSID -``` - -> [!NOTE] -> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. - -[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - -[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). - -[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). - -To remove assigned access, using PowerShell, run the following cmdlet. - -``` -Clear-AssignedAccess -``` - - - -## Set up a kiosk or digital sign using a provisioning package - ->App type: UWP or Classic Windows -> ->OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types -> ->Account type: Local standard user - -When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application. - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - -[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. - - - - - - - - - - - - -
                  ![step one](images/one.png)![set up device](images/set-up-device.png)

                  Enable device setup if you want to configure settings on this page.

                  **If enabled:**

                  Enter a name for the device.

                  (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

                  Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

                  You can also select to remove pre-installed software from the device.                   		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
                  ![step two](images/two.png) ![set up network](images/set-up-network.png)

                  Enable network setup if you want to configure settings on this page.

                  **If enabled:**

                  Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.                  		![Enter network SSID and type](images/set-up-network-details.png)
                  ![step three](images/three.png) ![account management](images/account-management.png)

                  Enable account management if you want to configure settings on this page.

                  **If enabled:**

                  You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

                  To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

                  Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

                  **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

                  To create a local administrator account, select that option and enter a user name and password.

                  **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.                   		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
                  ![step four](images/four.png) ![add applications](images/add-applications.png)

                  You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

                  **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.                   		![add an application](images/add-applications-details.png)
                  ![step five](images/five.png) ![add certificates](images/add-certificates.png)

                  To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.                  		![add a certificate](images/add-certificates-details.png)
                  ![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

                  You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

                  If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

                  In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.                  		![Configure kiosk account and app](images/kiosk-account-details.png)
                  ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

                  On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.                  		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
                  ![finish](images/finish.png)

                  You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.                  		![Protect your package](images/finish-details.png)
                  - - ->[!NOTE] ->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** - - - - - -[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) - - - - - -  - - - -## Set up a kiosk or digital sign in Intune or other MDM service - ->App type: UWP -> ->OS edition: Windows 10 Pro (version 1709), Ent, Edu -> ->Account type: Local standard user, Azure AD - -Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. - -The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. - -**To configure kiosk in Microsoft Intune** - -2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. -3. Select **Device configuration**. -4. Select **Profiles**. -5. Select **Create profile**. -6. Enter a friendly name for the profile. -7. Select **Windows 10 and later** for the platform. -8. Select **Device restrictions** for the profile type. -9. Select **Kiosk**. -10. In **Kiosk Mode**, select **Single app kiosk**. -1. Enter the user account (Azure AD or a local standard user account). -11. Enter the Application User Model ID for an installed app. -14. Select **OK**, and then select **Create**. -18. Assign the profile to a device group to configure the devices in that group as kiosks. - - - -## Set up a kiosk or digital sign using Shell Launcher - ->App type: Classic Windows -> ->OS edition: Windows 10 Ent, Edu -> ->Account type: Local standard user or administrator, Active Directory, Azure AD - -Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. - ->[!NOTE] ->You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). - ->[!WARNING] ->- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. ->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. - -### Requirements - -- A domain or local user account. - -- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. - -[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) - - -### Configure Shell Launcher - -To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. - -**To turn on Shell Launcher in Windows features** - -1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. - -2. Expand **Device Lockdown**. - -2. Select **Shell Launcher** and **OK**. - -Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. - -**To turn on Shell Launcher using DISM** - -1. Open a command prompt as an administrator. -2. Enter the following command. - - ``` - Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher - ``` - -**To set your custom shell** - -Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. - -``` -# Check if shell launcher license is enabled -function Check-ShellLauncherLicenseEnabled -{ - [string]$source = @" -using System; -using System.Runtime.InteropServices; - -static class CheckShellLauncherLicense -{ - const int S_OK = 0; - - public static bool IsShellLauncherLicenseEnabled() - { - int enabled = 0; - - if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { - enabled = 0; - } - - return (enabled != 0); - } - - static class NativeMethods - { - [DllImport("Slc.dll")] - internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } - -} -"@ - - $type = Add-Type -TypeDefinition $source -PassThru - - return $type[0]::IsShellLauncherLicenseEnabled() -} - -[bool]$result = $false - -$result = Check-ShellLauncherLicenseEnabled -"`nShell Launcher license enabled is set to " + $result -if (-not($result)) -{ - "`nThis device doesn't have required license to use Shell Launcher" - exit -} - -$COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" - -# Create a handle to the class instance so we can call the static methods. -try { - $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" - } catch [Exception] { - write-host $_.Exception.Message; - write-host "Make sure Shell Launcher feature is enabled" - exit - } - - -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. - -$Admins_SID = "S-1-5-32-544" - -# Create a function to retrieve the SID for a user account on a machine. - -function Get-UsernameSID($AccountName) { - - $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) - - return $NTUserSID.Value - -} - -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. - -$Cashier_SID = Get-UsernameSID("Cashier") - -# Define actions to take when the shell program exits. - -$restart_shell = 0 -$restart_device = 1 -$shutdown_device = 2 - -# Examples. You can change these examples to use the program that you want to use as the shell. - -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. - -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) - -# Display the default shell to verify that it was added correctly. - -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() - -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction - -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. - -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) - -# Set Explorer as the shell for administrators. - -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") - -# View all the custom shells defined. - -"`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction - -# Enable Shell Launcher - -$ShellLauncherClass.SetEnabled($TRUE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) - -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` - -## Sign out of assigned access - -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. - -If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: - -**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** - -To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - -  -## Related topics - -- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - - - diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index c02424cee9..b75768d432 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -7,8 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.author: jdecker +ms.topic: article ms.date: 01/02/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # Start layout XML for desktop editions of Windows 10 (reference) @@ -30,7 +31,7 @@ On Windows 10 for desktop editions, the customized Start works by: - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows). >[!NOTE] ->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx). +>To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). @@ -59,7 +60,7 @@ The following table lists the supported elements and attributes for the LayoutMo | TopMFUApps

                  Parent:
                  LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area.

                  **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | | Tile

                  Parent:
                  TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID.

                  **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | | DesktopApplicationTile

                  Parent:
                  TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.

                  **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | -| AppendOfficeSuite

                  Parent:
                  LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start

                  Do not use this tag with AppendDownloadOfficeTile | +| AppendOfficeSuite

                  Parent:
                  LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](https://docs.microsoft.com/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).

                  Do not use this tag with AppendDownloadOfficeTile | | AppendDownloadOfficeTile

                  Parent:
                  LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start

                  Do not use this tag with AppendOfficeSuite | ### LayoutOptions @@ -304,9 +305,23 @@ The following example shows how to add the **AppendOfficeSuite** tag to your Lay ``` +#### AppendOfficeSuiteChoice + +This tag is added in Windows 10, version 1803. You have two options in this tag: + +- `` +- `` + +Use `Choice=DesktopBridgeSubscription` on devices running Windows 10, version 1803, that have Office 365 preinstalled. This will set the heading of the Office suite of tiles to **Office 365**, to highlight the Office 365 apps that you've made available on the device. + +Use `Choice=DesktopBridge` on devices running versions of Windows 10 earlier than version 1803, and on devices shipping with [perpetual licenses for Office](https://blogs.technet.microsoft.com/ausoemteam/2017/11/30/choosing-the-right-office-version-for-your-customers/). This will set the heading of the Office suite of tiles to **Create**. + +For more information, see [Customize the Office suite of tiles](https://docs.microsoft.com/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles). + + #### AppendDownloadOfficeTile -You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group. +You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the **Download Office** tile to Start and the download tile will appear at the bottom right-hand side of the second group. >[!NOTE] >The OEM must have installed the Office trial installer for this tag to work. diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index c12a8cf0c6..0dddb20773 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -5,9 +5,11 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jdeckerms -ms.date: 08/07/2017 +ms.author: jdecker +ms.topic: article +ms.date: 06/27/2018 --- # Add image for secondary Microsoft Edge tiles @@ -61,7 +63,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE ## Export Start layout and assets 1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#bkmkcustomizestartscreen) to customize the Start screen on your test computer. -2. Open Windows PowerShell and enter the following command: +2. Open Windows PowerShell as an administrator and enter the following command: ``` Export-StartLayout -path .xml @@ -72,12 +74,12 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE 3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references. - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` - - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images + - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images. >[!TIP] >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images. - 4. In Windows PowerShell, enter the following command: +4. In Windows PowerShell, enter the following command: ``` Export-StartLayoutEdgeAssets assets.xml @@ -85,109 +87,30 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE ## Configure policy settings -You can apply the customized Start layout with images for secondary tiles by using [mobile device management](customize-windows-10-start-screens-by-using-mobile-device-management.md) or [a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). However, because you are including the images for secondary tiles, you must configure an additional policy to import the Edge assets. +You can apply the customized Start layout with images for secondary tiles by using [mobile device management](customize-windows-10-start-screens-by-using-mobile-device-management.md) or [a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). However, because you are including the images for secondary tiles, you must configure an additional setting to import the Edge assets. ### Using MDM -Follow the instructions to [create a custom policy](customize-windows-10-start-screens-by-using-mobile-device-management.md#bkmk-domaingpodeployment). Replace the markup characters with escape characters in both the layout.xml and the assets.xml. +In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=623244). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. -In addition to the `./User/Vendor/MSFT/Policy/Config/Start/StartLayout` setting, you must also add the `ImportEdgeAssets` setting. -| Item | Information | -|----|----| -| **Setting name** | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings. | -| **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. | -| **Data type** | **String** | -| **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/ImportEdgeAssets** -| **Value** | Paste the contents of the assets.xml file that you created. | +1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. +2. Select **Device configuration**. +3. Select **Profiles**. +4. Select **Create profile**. +5. Enter a friendly name for the profile. +6. Select **Windows 10 and later** for the platform. +7. Select **Device restrictions** for the profile type. +8. Select **Start**. +9. In **Start menu layout**, browse to and select your Start layout XML file. +9. In **Pin websites to tiles in Start menu**, browse to and select your assets XML file. +10. Select **OK** twice, and then select **Create**. +11. [Assign the profile to a group](https://docs.microsoft.com/intune/device-profile-assign). -**Example XML string value for the Start/ImportEdgeAssets policy** +>[!NOTE] +>The device restrictions in Microsoft Intune include [other Start settings](https://docs.microsoft.com/intune/device-restrictions-windows-10#start) that you can also configure in your profile. -``` - - - - - - iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII= - - - - - - - - iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII= - - - - - - - - iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg== - - - - - - - - iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg== - - - - - - - - iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII= - - - - - - - - iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII= - - - - - - - - iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg== - - - - - - - - iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg== - - - - - - - - iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII= - - - - - - - - iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII= - - - - -``` ### Using a provisioning package diff --git a/windows/configuration/start-taskbar-lockscreen.md b/windows/configuration/start-taskbar-lockscreen.md index 3b140ca068..083777bcdd 100644 --- a/windows/configuration/start-taskbar-lockscreen.md +++ b/windows/configuration/start-taskbar-lockscreen.md @@ -5,8 +5,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jdeckerms +ms.author: jdecker +ms.topic: article ms.date: 07/27/2017 --- diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index af9099c374..27bc5fc49f 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -7,7 +7,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store, mobile author: TrudyHa -ms.localizationpriority: high +ms.author: Trudyha +ms.topic: conceptual +ms.localizationpriority: medium ms.date: 4/16/2018 --- diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index 2270745715..81e41752be 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -54,7 +54,7 @@ Administrators can still define which user-customized application settings can s ## Compatibility with Microsoft Enterprise State Roaming -With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V on on-premises domain-joined devices only. +With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V for on-premises domain-joined devices only. In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation. diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md new file mode 100644 index 0000000000..70b495e029 --- /dev/null +++ b/windows/configuration/wcd/wcd-accountmanagement.md @@ -0,0 +1,55 @@ +--- +title: AccountManagement (Windows 10) +description: This section describes the account management settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 04/30/2018 +--- + +# AccountManagement (Windows Configuration Designer reference) + +Use these settings to configure the Account Manager service. + +## Applies to + +| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [DeletionPolicy](#deletionpolicy) | | | | X | | +| [EnableProfileManager](#enableprofilemanager) | | | | X | | +| [ProfileInactivityThreshold](#profileinactivitythreshold) | | | | X | | +| [StorageCapacityStartDeletion](#storagecapacitystartdeletion) | | | | X | | +| [StorageCapacityStopDeletion](#storagecapacitystopdeletion) | | | | X | | + +>[!NOTE] +>Although the AccountManagement settings are available in advanced provisioning for other editions, you should only use them for HoloLens devices. + + +## DeletionPolicy + +Use this setting to set a policy for deleting accounts. + +- **Delete immediately**: When the account signs out, it will be deleted immediately. +- **Delete at storage capacity threshold**: Accounts will be deleted when available disk space falls below the threshold you set for **StorageCapacityStartDeletion**. When the available disk space reaches the threshold you set for **StorageCapacityStopDeletion**, the Account Manager will stop deleting accounts. +- **Delete at storage capacity threshold and profile inactivity threshold**: This setting will apply the same disk space checks as noted above, and will also delete accounts if they have not signed in within the number of days specified by **ProfileInactivityThreshold**. + +## EnableProfileManager + +Set as **True** to enable automatic account management. If this is not set to **True**, no automatic account management will occur. + + +## ProfileInactivityThreshold + +If you set **DeletionPolicy** as **Delete at storage capacity threshold and profile inactivity threshold**, use this setting to configure the number of days after which an account that has not signed in will be deleted. + +## StorageCapacityStartDeletion + +Enter the percent of total storage available for user profiles. If **DeletionPolicy** is set to **Delete at storage capacity threshold** or **Delete at storage capacity threshold and profile inactivity threshold**, profiles will be deleted when available storage capacity falls below this threshold, until the value that you set for **StorageCapacityStopDeletion** is reached. Profiles that have been inactive the longest will be deleted first. + +## StorageCapacityStopDeletion + +Enter the percent of total storage at which to stop deleting profiles. If **DeletionPolicy** is set to **Delete at storage capacity threshold** or **Delete at storage capacity threshold and profile inactivity threshold**, profiles will be deleted when available storage capacity falls below the threshold set for **StorageCapacityStartDeletion**, until the value that you set for **StorageCapacityStopDeletion** is reached. Profiles that have been inactive the longest will be deleted first. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index de3f2b1d0f..db8812512d 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # Accounts (Windows Configuration Designer reference) @@ -18,7 +19,7 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac | Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [Azure](#azure) | X | X | X | | | +| [Azure](#azure) | X | X | X | X | | | [ComputerAccount](#computeraccount) | X | | X | | X | | [Users](#users) | X | | X | X | | @@ -29,7 +30,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) ## ComputerAccount @@ -41,7 +42,7 @@ Specifies the settings you can configure when joining a device to a domain, incl | Setting | Value | Description | | --- | --- | --- | | Account | string | Account to use to join computer to domain | -| AccountOU | string | Name of organizational unit for the computer account | +| AccountOU | Enter the full path for the organizational unit. For example: OU=testOU,DC=domain,DC=Domain,DC=com. | Name of organizational unit for the computer account | | ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIAL% characters in the name.

                  ComputerName is a string with a maximum length of 15 bytes of content:

                  - ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.

                  - ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.

                  - ComputerName cannot use some non-standard characters, such as emoji.

                  Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) | | DomainName | string (cannot be empty) | Specify the name of the domain that the device will join | | Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. | diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md index 4360cfac59..b6410ee421 100644 --- a/windows/configuration/wcd/wcd-admxingestion.md +++ b/windows/configuration/wcd/wcd-admxingestion.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- @@ -77,7 +78,7 @@ Use the following PowerShell cmdlet to remove carriage returns and line feeds fr ```PS $path="file path" -(Get-Content $path -Raw).Replace("'r'n","") | Set-Content $path -Force +(Get-Content $admxFile -Raw).Replace("`r`n","") | Set-Content $path -Force ``` ## Category and policy in ADMX diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md index 620e90e378..058450c727 100644 --- a/windows/configuration/wcd/wcd-applicationmanagement.md +++ b/windows/configuration/wcd/wcd-applicationmanagement.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/12/2017 --- @@ -15,7 +16,7 @@ ms.date: 09/12/2017 Use these settings to manage app installation and management. >[!NOTE] ->ApplicationManagement settings are not available in Windows 10, version 1709. +>ApplicationManagement settings are not available in Windows 10, version 1709, and later. ## Applies to diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index 683fe674f2..ae8d42c8ee 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/14/2017 +ms.topic: article +ms.date: 04/30/2018 --- # AssignedAccess (Windows Configuration Designer reference) @@ -19,7 +20,7 @@ Use this setting to configure single use (kiosk) devices. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | | [AssignedAccessSettings](#assignedaccesssettings) | X | | | X | | -| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | X | | | | | +| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | X | | | X | | ## AssignedAccessSettings @@ -39,7 +40,7 @@ Enter the account and the application you want to use for Assigned access, using Use this setting to configure a kiosk device that runs more than one app. -1. [Create an assigned access configuration XML file for multiple apps.](../lock-down-windows-10-to-specific-apps.md) +1. Create an assigned access configuration XML file for multiple apps [(desktop](../lock-down-windows-10-to-specific-apps.md) or [HoloLens)](https://docs.microsoft.com/hololens/hololens-provisioning). 2. In Windows Configuration Designer, select **MultiAppAssignedAccessSettings**. 3. Browse to and select the assigned access configuration XML file. diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md index 703fc62918..272d9117a7 100644 --- a/windows/configuration/wcd/wcd-automatictime.md +++ b/windows/configuration/wcd/wcd-automatictime.md @@ -7,21 +7,39 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # AutomaticTime (Windows Configuration Designer reference) -Use these settings to configure automatic time updates. +Use these settings to configure automatic time updates. Mobile devices primarily rely on Network Identify and Time zone (NITZ), which is provided by the mobile operator, to automatically update the time on the device. When NITZ is available from the cellular network, there are no issues maintaining accurate time in devices. However, for devices that do not have a SIM or have had the SIM removed for some time, or for devices that have a SIM but NITZ is not supported, the device may run into issues maintaining accurate time on the device. + +The OS includes support for Network Time Protocol (NTP), which enables devices to receive time when NITZ is not supported or when cellular data is not available. NTP gets the time by querying a server at a specified time interval. NTP is based on Coordinated Universal Time (UTC) and doesn't support time zone or daylight saving time so users will need to manually update the time zone after an update from NTP if users move between time zones. ## Applies to | Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | +| [EnableAutomaticTime](#enableautomatictime) | | X | | | | +| [NetworkTimeUpdateThreshold](#networktimeupdatethreshold) | | X | | | | +| [NTPEnabled](#ntpenabled) | | X | | | | | [NTPRegularSyncInterval](#ntpregularsyncinterval) | | X | | | | | [NTPRetryInterval](#ntpretryinterval) | | X | | | | | [NTPServer](#ntpserver) | | X | | | | +| [PreferredSlot](#preferredslot) | | X | | | | +## EnableAutomaticTime + +Set to **True** to enable automatic time and to **False** to disable automatic time. + +## NetworkTimeUpdateThreshold + +Specify the difference (in number of seconds) between the NITZ information and the current device time before a device time update is triggered. + +## NTPEnabled + +Set to **True** to enable the NTP client and to **False** to disable the NTP client. ## NTPRegularSyncInterval @@ -43,3 +61,14 @@ ntpserver1.contoso.com;ntpserver2.fabrikam.com;ntpserver3.contoso.com ``` The list should contain one or more server names. The default NTP source server value is `time.windows.com`. + + + + + +## PreferredSlot + +Specify which UICC slot will be preferred for NITZ handling on a C+G dual SIM phone. + +- Set to `0` to use the UICC in Slot 0 for NITZ handling. +- Set to '1' to use the UICC in Slot 1 for NITZ handling. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 823dfa407e..3ed958488d 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # Browser (Windows Configuration Designer reference) @@ -19,7 +20,7 @@ Use to configure browser settings that should only be set by OEMs who are part o | Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | | [Favorites](#favorites) | | X | | | | -| [PartnerSearchCode](#partnersearchcode) | X | X | X | X | | +| [PartnerSearchCode](#partnersearchcode) | X | X | X | | | | [SearchProviders](#searchproviders) | | X | | | | ## Favorites diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md index 09358607f5..2c27545f28 100644 --- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md +++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/21/2017 --- diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md index 9870b6d32e..dd7a6057aa 100644 --- a/windows/configuration/wcd/wcd-calling.md +++ b/windows/configuration/wcd/wcd-calling.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/21/2017 +ms.topic: article +ms.date: 04/30/2018 --- # Calling (Windows Configuration Designer reference) @@ -28,13 +29,33 @@ Use to configure settings for Calling. See [Branding for phone calls](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/branding-for-phone-calls). +## CallIDMatchOverrides + +Enter a GEOID, select **Add**, and then enter the number of digits for matching caller ID. + +For a list of GEOID codes and default number of digits for each country/region, see [Overriding the OS default minimu number of digits for caller ID matching](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/caller-id-matching#a-href-idoverriding-os-default-min-number-digitsaoverriding-the-os-default-minimum-number-of-digits-for-caller-id-matching). + +## CauseCodeRegistrationTable + +See [Cause codes](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/cause-codes). + + +## CDMAHeuristics + +CDMA Heuristics (on by default) makes CDMA calling more user-friendly by exposing an interface that supports multiple calls with call waiting, swapping, and three-way calling. + +For **CDMAPriorityCallPrefix**, enter a custom call prefix that would allow the user to override an ongoing call with a remote party mostly used in emergency services and law enforcement. + +Set **DisableCdmaHeuristics** to **True** to disable the built-in heuristics. + + ## PartnerAppSupport See [Dialer codes to launch diagnostic applications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-to-launch-diagnostic-applications). ## PerSimSettings -Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click Add, and then configure the folowing settings. +Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the folowing settings. ### Critical @@ -48,34 +69,84 @@ SimOverrideVoicemailNumber | Mobile operators can override the voicemail number Setting | Description --- | --- +AllowMixedAudioVideoConferencing | Set as **True** to enable audio and video calls in the same conference. AllowVideoConferencing | Set as **True** to enable the ability to conference video calls. +AutoDismissUssedWaitingDialog | Set as **True** to enable automatic dismissal of "Waiting" dialog on USSD session termination. +CallerIdBlockingPrefixList | Enter a list of prefixes which will not see the caller ID. Use a semicolon (;) as a delimiter. DefaultCallerIdSetting | Configure the default setting for caller ID. Select between `No one`, `Only contacts`, `Every one`, and `Network default`. If set to `Network default`, set `ShowCallerIdNetworkDefaultSetting` to **True**. DefaultEnableVideoCalling | Set as **True** to enable LTE video calling as the default setting. +DefaultEnableVideoCapability | Set as **True** to enable LTE video capability sharing as the default setting. +EnableSupplementaryServiceEraseToDeactivateOverride | Enables conversion of supplementary service erase commands to deactivate commands. +IgnoreCallerIdBlockingPrefix | DO NOT USE IgnoreMWINotifications | Set as **True** to configure the voicemail system so the phone ignores message waiting indicator (MWI) notifications. +IgnoreProhibitedDialingPrefix | Ignore prohibited dialing prefix. An OEM/MO can specify a certain set of strings by region that when dialed will block a user's caller ID from being displayed on the device receiving the call. The list is separated by semicolon. This setting does not apply beyond Windows 10, version 1709. IgnoreUssdExclusions | Set as **True** to ignore Unstructured Supplementary Service Data (USSD) exclusions. +ProhibitedDialingPrefixList | A semicolon delimited list of previxes that are prohibited from being dialed. ResetCallForwarding | When set to **True**, user is provided with an option to retry call forwarding settings query. ShowCallerIdNetworkDefaultSetting | Indicates whether the network default setting can be allowed for outgoing caller ID. ShowVideoCallingSwitch | Use to specify whether to show the video capability sharing switch on the mobile device's Settings screen. +ShowVideoCapabilitySwitch | Configure the phone settings to show the video capability sharing switch. SupressVideoCallingChargesDialog | Configure the phone settings CPL to supress the video calling charges dialog. UssdExclusionList | List used to exclude predefined USSD entries, allowing the number to be sent as standard DTMF tones instead. Set UssdExclusionList to the list of desired exclusions, separated by semicolons. For example, setting the value to 66;330 will override 66 and 330. Leading zeros are specified by using F. For example, to override code 079, set the value to F79. If you set UssdExclusionList, you must set IgnoreUssdExclusions as well. Otherwise, the list will be ignored. See [List of USSD codes](#list-of-ussd-codes) for values. WiFiCallingOperatorName | Enter the operator name to be shown when the phone is using WiFi calling. If you don't set a value for WiFiCallingOperatorName, the device will always display **SIMServiceProviderName Wi-Fi**, where *SIMServiceProviderName* is a string that corresponds to the SPN for the SIM on the device. If the service provider name in the SIM is not set, only **Wi-Fi** will be displayed. +### HDAudio +To customize call progress branding when a call is made using a specific audio codec, select the audio codec from the dropdown menu and select **Add**. Select the codec in **Available Customizations** and then enter a text string (up to 10 characters) to be used for call progress branding for calls using that codec. For more information, see [Use HD audio codec for call branding](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/use-hd-audio-codec-for-call-branding). + +### IMSSubscriptionUpdate + +These are Verizon/Sprint-only settings to allow the operator to send an OMA-DM update to the device with the given alert characteristics, which are defined between the mobile operator and OEM, which in turn will inform the device to turn on or off IMS. + +### RoamingNumberOverrides + +See [Dial string overrides when roaming](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dial-string-overrides-when-roaming). ## PhoneSettings Setting | Description --- | --- +AdjustCDMACallTime | Change the calculation of CDMA call duration to exclude the time before the call connects. AssistedDialSetting | Turn off the international assist feature that helps users with the country codes needed for dialing international phone numbers. CallIDMatch | Sets the number of digits that the OS will try to match against contacts for Caller ID. For any country/region that doesn't exist in the default mapping table, mobile operators can use this legacy CallIDMatch setting to specify the minimum number of digits to use for matching caller ID. +CallRecordingOff | Indicates if call recording is turned off. Users will not see the call recording functionality when this is set to **True**. +ConferenceCallMaximumPartyCount | Enter a number to limit the number of parties that can participate in a conference call. ContinuousDTMFEnabled | Enable DTMF tone duration for as long as the user presses a dialpad key. +DisableVideoUpgradeStoreNavigation | If there are no compatible video upgrade apps installed, tapping the video upgrade button will launch a dialog that will navigate to the Microsoft Store. If this option is enabled, it will show a dialog that informs the user that no video app is installed, but it will not navigate to the Microsoft Store. DisableVoicemailPhoneNumberDisplay | Disable the display of the voicemail phone number below the Voicemail label in call progress dialog. +DisplayNoDataMessageDuringCall | Display a message to the user indicating that there is no Internet connectivity during a phone call. +DisplayNumberAsDialed | Display the outgoing number "as dialed" rather than "as connected". +EnableVideoCalling | Set to **True** to enable video calling. HideCallForwarding | Partners can hide the user option to turn on call forwarding. By default, users can decide whether to turn on call forwarding. Partners can hide this user option so that call forwarding is permanently disabled. +HideSIMSecurityUI | Hide the SIM Security panel from phone Settings. +LowVideoQualityTimeout | Configure the phone timer to automatically drop video when the quality is low, in milliseconds. +MinTimeBetweenCallSwaps | Configure how often the user can swap between two active phone calls, in milliseconds. +PromptVideoCallingCharges | Prompt user for charges associated with video calls. ShowLongTones | Partners can make a user option visible that makes it possible to toggle between short and long DTMF tones, instead of the default continuous tones. By default, the phone supports Dual-Tone Multi-frequency (DTMF) with continuous tones. Partners can make a user option visible that makes it possible to toggle between short and long tones instead. UseOKForUssdDialogs | OEMs can change the button label in USSD dialogs from **Close** (the default) to **OK**. +UseVoiceDomainForEmergencyCallBranding | Use voice domain to decide whether to use **Emergency calls only** or **No service** in branding. +VideoCallingChargesMessage | Enter text for the message informing the user about the charges associated with video calls. +VideoCallingChargesTitle | Enter text for the title of the dialog informing the user about the charges associated with video calls. +VideoCallingDescription | Enter text to describe the video calling feature. +VideoCallingLabel | Enter text to describe the video calling toggle. +VideoCapabilityDescription | Enter text to describe the video capability feature. +VideoCapabilityLabel | Enter text to describe the video capability toggle. +VideoTransitionTimeout | Enter the time in milliseconds to check how long the video transition state will remain until the remote party responds. The minimum value is 10000 and the maximum value is 30000. VoLTEAudioQualityString | Partners can add a string to the call progress screen to indicate if the active call is a high quality voice over LTE (VoLTE). Set the value of VoLTEAudioQualityString to the string that you want to display in the call progress screen to indicate that the call is a VoLTE call. This string is combined with the PLMN so if the string is "VoLTE", the resulting string is "PLMN_String VoLTE". For example, the string displayed in the call progress screen can be "Litware VoLTE" if the PLMN_String is "Litware". The value you specify for VoLTEAudioQualityString must exceed 10 characters. +## PhoneShellUI + +Setting | Description +--- | --- +EnableSoftwareProximitySensorMitigation | Enable software proximity sensor mitigation. + +## PhoneSmsFilter + +Setting | Description +--- | --- +AppId | Enter the app ID for your phone call/SMS filter application. + ## SupplementaryServiceCodeOverrides See [Dialer codes for supplementary services](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-for-supplementary-services). diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index fa754b467b..66fd0b6bc1 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/21/2017 +ms.topic: article +ms.date: 04/30/2018 --- # CellCore (Windows Configuration Designer reference) @@ -21,25 +22,22 @@ Use to configure settings for cellular data. Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core --- | :---: | :---: | :---: | :---: | :---: - PerDevice: [CellConfigurations](#cellconfigurations) | | X | | | - PerDevice: [CellData](#celldata) CellularFailover | X | X | | | - PerDevice: [CellData](#celldata) MaxNumberOfPDPContexts | | X | | | - PerDevice: [CellData](#celldata) ModemProfiles | | X | | | - PerDevice: [CellData](#celldata) PersistAtImaging | | X | | | - PerDevice: [CellUX](#cellux) | | X | | | - PerDevice: [CGDual](#cgdual) | | X | | | - PerDevice: [eSim](#esim) | X | X | | | - PerDevice: [External](#external) | | X | | | - PerDevice: [General](#general) | | X | | | - PerDevice: [RCS](#rcs) | | X | | | - PerDevice: [SMS](#sms) | X | X | | | - PerDevice: [UIX](#uix) | | X | | | + PerDevice: [CellConfigurations](#cellconfigurations) | | X | | | | + PerDevice: [CellData](#celldata) | X | X | X | | + PerDevice: [CellUX](#cellux) | X | X | X | | + PerDevice: [CGDual](#cgdual) | | X | | | + PerDevice: [eSim](#esim) | X | X | X | | + PerDevice: [External](#external) | | X | | | + PerDevice: [General](#general) | | X | | | + PerDevice: [RCS](#rcs) | | X | | | + PerDevice: [SMS](#sms) | X | X | X | | + PerDevice: [UIX](#uix) | | X | | | PerDevice: [UTK](#utk) | | X | | | PerlMSI: [CellData](#celldata2) | | X | | | PerIMSI: [CellUX](#cellux2) | | X | | | PerIMSI: [General](#general2) | | X | | | PerIMSI: [RCS](#rcs2) | | X | | | - PerIMSI: [SMS](#sms2) | X | X | | | + PerIMSI: [SMS](#sms2) | X | X | X | | PerIMSI: [UTK](#utk2) | | X | | | PerIMSI: [VoLTE](#volte) | | X | | | @@ -75,9 +73,11 @@ Setting | Description --- | --- APNAuthTypeDefault | Select between **Pap** and **Chap** for default APN authentication type. APNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default APN IP type. +Critical > ShowVoLTERoaming | Select **Yes** to show the VoLTE roaming control in the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to hide the control. Critical > ShowVoLTEToggle | Select **Yes** to show the VoLTE toggle in the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to hide the toggle. Disable2GByDefault | Select **Yes** to disable 2G by default. Select **No** to enable 2G. Disabled2GNoticeDescription | Enter text to customize the notification for disabled 2G. +EmbeddedUiccSlotId | ID for embedded UICC (eUICC) slot. GenericWifiCallingErrorMessage | Enter text to customize the generic error message when a Wi-Fi calling error occurs. Hide3GPP2ModeSelection | Select **Yes** to hide the **CDMA** option in the network **Mode** selection drop-down menu. Select **No** to show the **CDMA** option. Hide3GPP2Selection | For 3GPP2 or CDMA phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM** settings screen. Select **No** to show **Network Type**. @@ -118,6 +118,8 @@ ShowSpecificWifiCallingError | Select **Yes** to show a specific error message b ShowViewAPN | Select **Yes** to show the **View Internet APN** button in **Settings** > **cellular+SIM**. ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency call warning. ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message. +SlotSelectionSim1Name | Enter text for the name of SIM 1 in slot selection UI. +SlotSelectionSim2Name | Enter text for the name of SIM 2 in slot selection UI. SuppressDePersoUI | Select **Yes** to hide the perso unlock UI. @@ -179,6 +181,7 @@ DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roamin DisableSystemTypeSupport | Enter the system types to be removed. DTMFOffTime | Sets the length of time, in milliseconds (between 64 and 1000 inclusive), of the pause between DTMF digits. For example, a value of 120 specifies 0.12 seconds. DTMFOnTime | Sets the length of time, in milliseconds (between 64 and 1000 inclusive), to generate the DTMF tone when a key is pressed. For example, a value of 120 specifies 0.12 seconds. +EnableIMSWhenRoaming | Set to **Yes** to enable IMS when roaming. ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`). ExcludedSystemTypesPerOperator | Exclude specified system types from SIM cards that match the MCC:MNC pairs listed in **OperatorListForExcludedSystemTypes**. This setting is used only for China. Set the value to match the system type to be excluded. For more information about the RIL system types, see [RILSYSTEMTYPE](https://msdn.microsoft.com/library/windows/hardware/dn931143.aspx). For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, the ExcludedSystemTypesPerOperator value must be set to 0x18 to limit the matching MCC:MNC pairs to 2G. LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE. @@ -218,10 +221,13 @@ IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for a MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds. SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message. +SmsStoreDeleteSize | Set the number of messages that can be deleted when a "message full" indication is received from the modem. SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message. Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**. Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. -Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. +Type3GPP > IMS > AttemptThresholdForIMS | Set the maximum number of tries to send SMS on IMS. +Type3GPP > IMS > RetryEnabled | Configure whether to enable one automatic retry after failure to send over IMS. +Type 3GPP > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type. @@ -298,7 +304,7 @@ HideLTEAttachAPN | Select **Yes** to hide the **LTE attach APN** button on the * HideMMSAPN | Select **Yes** to hide the **add mms apn** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **add mms apn** button. HideMMSAPNIPType | Select **Yes** to hide the APN IP type selector on the MMS APN page. Select **No** to show the APN IP type selector. HideModeSelection | Select **Yes** to hide the **Network Mode selection** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **Network Mode selection**. -HidePersoUnlock | Select **Yes** to hide the Perso unlock UI. Select **No** to show the Perso unlock UI. +HidePersoUnlock | Select **Yes** to hide the Perso unlock UI. Select **No** to show the Perso unlock UI. (Removed in Windows 10, version 1803.) HighestSpeed2G | You can customize the listed names of the connection speeds with their own character codes. To modify "2G" to another character code, change the value of HighestSpeed2G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI. HighestSpeed3G | You can customize the listed names of the connection speeds with their own character codes. To modify "3G" to another character code, change the value of HighestSpeed3G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI. HighestSpeed3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Only" to another character code, change the value of HighestSpeed3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI. @@ -318,6 +324,9 @@ ShowSpecificWifiCallingError | Select **Yes** to show a specific error message b ShowViewAPN | Select **Yes** to show the **View Internet APN** button in **Settings** > **cellular+SIM**. ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency call warning. ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message. +SlotSelectionSim1Name | Enter text for the name of SIM 1 in slot selection UI. (Removed in Windows 10, version 1803.) +SlotSelectionSim2Name | Enter text for the name of SIM 2 in slot selection UI. (Removed in Windows 10, version 1803.) +SuppressDePersoUI | Suppress DePerso UI to unlock Perso. (Removed in Windows 10, version 1803.) @@ -336,13 +345,14 @@ CardLock | Used to enforce either the card allow list or both the card allow and Critical > MultivariantProvisionedSPN | Used to change the default friendly SIM names in dual SIM phones. By default, the OS displays SIM 1 or SIM 2 as the default friendly name for the SIM in slot 1 or slot 2 if the service provider name (SPN) or mobile operator name has not been set. Partners can use this setting to change the default name read from the SIM to define the SPN for SIM cards that do not contain this information or to generate the default friendly name for the SIM. The OS uses the default value as the display name for the SIM or SPN in the Start screen and other parts of the UI including the SIM settings screen. For dual SIM phones that contain SIMs from the same mobile operator, the names that appear in the UI may be similar. See [Values for MultivariantProvisionedSPN](#spn). Critical > SimNameWithoutMSISDNENabled | Use this setting to remove the trailing MSISDN digits from the service provider name (SPN) in the phone UI. By default, the OS appends the trailing MSISDN digits to the service provider name (SPN) in the phone UI, including on the phone and messaging apps. If required by mobile operators, OEMs can use the SimNameWithoutMSISDNEnabled setting to remove the trailing MSISDN digits. However, you must use this setting together with **MultivariantProvisionedSPN** to suppress the MSISDN digits. DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roaming. +EnableIMSWhenRoaming | Set to **Yes** to enable IMS when roaming. ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`). LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE. LTEForced | Select **Yes** to force LTE. NetworkSuffix | To meet branding requirements for some mobile operators, you can add a suffix to the network name that is displayed on the phone. For example, you can change from ABC to ABC 3G when under 3G coverage. This feature can be applied for any radio access technology (RAT). For TD-SCDMA RAT, a 3G suffix is always appended by default, but partners can also customize this the same way as with any other RAT. In the setting name, set SYSTEMTYPE to the network type that you want to append the network name to and click **Add**:

                  - system type 4: 2G (GSM)
                  - system type 8: 3G (UMTS)
                  - system type 16: LTE
                  - system type 32: 3G (TS-SCDMA)

                  Select the system type that you added, and enter the network name and suffix that you want displayed. NitzFiltering | For mobile networks that can receive Network Identity and Time Zone (NITZ) information from multiple sources, partners can set the phone to ignore the time received from an LTE network. Time received from a CDMA network is not affected. Set the value of NitzFiltering to `0x10`. -OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030. -OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator. +OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030. (Removed in Windows 10, version 1803.) +OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator. (Removed in Windows 10, version 1803.) SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming. diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 1e6bdf31fa..290e3f52cb 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/21/2017 --- diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md index 34575878e2..56aa4f2379 100644 --- a/windows/configuration/wcd/wcd-certificates.md +++ b/windows/configuration/wcd/wcd-certificates.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md index 0841fd7fe6..fa17758467 100644 --- a/windows/configuration/wcd/wcd-cleanpc.md +++ b/windows/configuration/wcd/wcd-cleanpc.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md index c7e3a5d70c..cf22b5e590 100644 --- a/windows/configuration/wcd/wcd-connections.md +++ b/windows/configuration/wcd/wcd-connections.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 10/09/2017 +ms.topic: article +ms.date: 04/30/2018 --- # Connections (Windows Configuration Designer reference) @@ -18,7 +19,7 @@ Use to configure settings related to various types of phone connections. | Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| All settings | X | X | X | X | | +| All settings | X | X | X | | | For each setting group: diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 0073f13e81..b797544274 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 01/10/2018 +ms.topic: article +ms.date: 04/30/2018 --- # ConnectivityProfiles (Windows Configuration Designer reference) @@ -18,11 +19,11 @@ Use to configure profiles that a user will connect with, such as an email accoun | Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [Email](#email) | X | X | X | X | X | -| [Exchange](#exchange) | X | X | X | X | X | -| [KnownAccounts](#knownaccounts) | X | X | X | X | X | +| [Email](#email) | X | X | X | | X | +| [Exchange](#exchange) | X | X | X | | X | +| [KnownAccounts](#knownaccounts) | X | X | X | | X | | [VPN](#vpn) | X | X | X | X | X | -| [WiFiSense](#wifisense) | X | X | X | X | X | +| [WiFiSense](#wifisense) | X | X | X | | X | | [WLAN](#wlan) | X | X | X | X | X | ## Email @@ -166,7 +167,7 @@ The **Config** settings are initial settings that can be overwritten when settin ### SystemCapabilities -You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Diagnostic data data is generated by the system to provide data that can be used to diagnose both software and hardware issues. +You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Diagnostic data is generated by the system to provide data that can be used to diagnose both software and hardware issues. | Setting | Description | | --- | --- | diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md index cea28f29ea..63428e442e 100644 --- a/windows/configuration/wcd/wcd-countryandregion.md +++ b/windows/configuration/wcd/wcd-countryandregion.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # CountryAndRegion (Windows Configuration Designer reference) @@ -18,6 +19,6 @@ Use to configure a setting that partners must customize to ship Windows devices | Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| CountryCodeForExtendedCapabilityPrompts | X | X | X | X | | +| CountryCodeForExtendedCapabilityPrompts | X | X | X | | | You can set the **CountryCodeForExtendedCapabilityPrompts** setting for **China** to enable additional capability prompts when apps use privacy-sensitive features (such as Contacts or Microphone). diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md index 516d965076..f2cf8486fa 100644 --- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md +++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/21/2017 --- diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md index 619c43ad8f..a37e897815 100644 --- a/windows/configuration/wcd/wcd-developersetup.md +++ b/windows/configuration/wcd/wcd-developersetup.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md index 5651da1065..3a05a093c8 100644 --- a/windows/configuration/wcd/wcd-deviceformfactor.md +++ b/windows/configuration/wcd/wcd-deviceformfactor.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # DeviceFormFactor (Windows Configuration Designer reference) @@ -18,7 +19,7 @@ Use to identify the form factor of the device. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| DeviceForm | X | X | X | X | | +| DeviceForm | X | X | X | | | Specifies the device form factor running Windows 10. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization. diff --git a/windows/configuration/wcd/wcd-deviceinfo.md b/windows/configuration/wcd/wcd-deviceinfo.md index 97e88fe617..891a4c6de2 100644 --- a/windows/configuration/wcd/wcd-deviceinfo.md +++ b/windows/configuration/wcd/wcd-deviceinfo.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/21/2017 --- diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index 48555e434c..70a65ed02e 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/21/2017 +ms.topic: article +ms.date: 04/30/2018 --- # DeviceManagement (Windows Configuration Designer reference) @@ -18,10 +19,10 @@ Use to configure device management settings. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [Accounts](#accounts) | X | X | X | X | | -| [PGList](#pglist) | X | X | X | X | | -| [Policies](#policies) | X | X | X | X | | -| [TrustedProvisioningSource](#trustedprovisioningsource) | X | X | X | X | | +| [Accounts](#accounts) | X | X | X | | | +| [PGList](#pglist) | X | X | X | | | +| [Policies](#policies) | X | X | X | | | +| [TrustedProvisioningSource](#trustedprovisioningsource) | X | X | X | | | ## Accounts @@ -76,12 +77,12 @@ The following table describes the settings you can configure for **Policies**. | Setting | Description | | --- | --- | | MMS > MMSMessageRoles | Select between **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. If a message contains at least one of the roles in the selected role mask, then the message is processed. | -| OMACP > NetwpinRoles | Select a policy role to specify whether OMA network PIN-signed messages will be accepted. OMA Client Provisioning Network PIN policy determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

                  Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.

                  **Note** IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. | -| OMACP > UsernetwpinRoles | Select a policy role to specify whether the OMA user network PIN-signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

                  Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.

                  **Note** IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. | -| OMACP > UserpinRoles | Select a policy role to specify whether the OMA user PIN or user MAC signed message will be accepted. OMA Client Provisioning User PIN policy determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

                  Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. | +| OMACP > NetwpinRoles | (Window 10, version 1709 and earlier only) Select a policy role to specify whether OMA network PIN-signed messages will be accepted. OMA Client Provisioning Network PIN policy determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

                  Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.

                  **Note** IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. | +| OMACP > UsernetwpinRoles | (Window 10, version 1709 and earlier only) Select a policy role to specify whether the OMA user network PIN-signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

                  Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**.

                  **Note** IMSI-based NETWPIN and USERNETWPIN may not work for dual SIM phones. The OMA-CP authentication provider only uses the IMSI from executor 0 (the current, active data SIM) when hashing these messages. OMA-CP payloads targeting executor 1 are rejected by the phone. For more information about executors, see Dual SIM. | +| OMACP > UserpinRoles | (Window 10, version 1709 and earlier only) Select a policy role to specify whether the OMA user PIN or user MAC signed message will be accepted. OMA Client Provisioning User PIN policy determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

                  Available roles are: **SECROLE_OPERATOR_TIPS**, **SECROLE_KNOWN_PPG**, **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, **SECROLE_OPERATOR_TPS_OR_SECROLE_ANY_PUSH_SOURCE**, **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_OPERATOR_TPS_OR_SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. | | SISL > ServiceIndicationRoles | Specify the security roles that can accept SI messages. Service Indication (SI) Message policy indicates whether SI messages are accepted by specifying the security roles that can accept SI messages. An SI message is sent to the phone to notify users of new services, service updates, and provisioning services.

                  Available roles are: **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. | | SISL > ServiceLoadingRoles | Specify the security roles that can accept SL messages. Service Loading (SL) Message policy indicates whether SL messages are accepted by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the phone.

                  Available roles are: **SECROLE_KNOWN_PPG**, **SECROLE_ANY_PUSH_SOURCE**, and **SECROLE_KNOWN_PPG_OR_SECROLE_ANY_PUSH_SOURCE**. | - +| WSP > WSPPushAllowed | Indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed. ## TrustedProvisioningSource In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS). diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md index 991cf820c1..274f251c85 100644 --- a/windows/configuration/wcd/wcd-dmclient.md +++ b/windows/configuration/wcd/wcd-dmclient.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # DMClient (Windows Configuration Designer reference) @@ -18,7 +19,7 @@ Use to specify enterprise-specific mobile device management configuration settin | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| UpdateManagementServiceAddress | X | X | X | X | X | +| UpdateManagementServiceAddress | X | X | X | | X | For the **UpdateManagementServiceAddress** setting, enter a list of servers. The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions. diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md index 7cf47f5528..8b9e9e37e7 100644 --- a/windows/configuration/wcd/wcd-editionupgrade.md +++ b/windows/configuration/wcd/wcd-editionupgrade.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # EditionUpgrade (Windows Configuration Designer reference) @@ -18,9 +19,9 @@ Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10 | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [ChangeProductKey](#changeproductkey) | X | X | | X | | +| [ChangeProductKey](#changeproductkey) | X | X | | | | | [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | X | X | | X | | -| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | X | X | | X | | +| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | X | X | | | | ## ChangeProductKey diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md index 8728978340..9ad65e569c 100644 --- a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md +++ b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md index 7a3d133608..a0a581baec 100644 --- a/windows/configuration/wcd/wcd-firewallconfiguration.md +++ b/windows/configuration/wcd/wcd-firewallconfiguration.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index a28f6531bc..cb1554991e 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -7,10 +7,25 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 08/08/2018 --- # FirstExperience (Windows Configuration Designer reference) -Do not configure **FirstExperience** in provisioning packages at this time. These settings will be available to configure the out-of-box experience (OOBE) to set up HoloLens in a future release. +Use these settings to configure the out-of-box experience (OOBE) to set up HoloLens. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | | | X | | + +Setting | Description +--- | --- +PreferredRegion | Enter the [geographical location identifier](https://msdn.microsoft.com/library/windows/desktop/dd374073.aspx) for the region. +PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](https://msdn.microsoft.com/library/ms912391.aspx) +SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration. +SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training. +SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.

                  **Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](https://docs.microsoft.com/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md). diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md index b2eff878f5..69797f84fa 100644 --- a/windows/configuration/wcd/wcd-folders.md +++ b/windows/configuration/wcd/wcd-folders.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # Folders (Windows Configuration Designer reference) @@ -18,6 +19,6 @@ Use to add files to the device. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| PublicDocuments | X | X | X | X | | +| PublicDocuments | X | X | X | | | Browse to and select a file or files that will be included in the provisioning package and added to the public profile documents folder on the target device. You can use the **Relative path to directory on target device** field to create a new folder within the public profile documents folder. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md index b94a37b66d..d3dbe83cdf 100644 --- a/windows/configuration/wcd/wcd-hotspot.md +++ b/windows/configuration/wcd/wcd-hotspot.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/14/2017 +ms.topic: article +ms.date: 04/30/2018 --- # HotSpot (Windows Configuration Designer reference) @@ -47,6 +48,17 @@ If Enabled is initially set to **True**, the feature is turned off and the inter When Enabled is set to **False**, the internet sharing screen is added to Settings, although sharing is turned off by default until the user turns it on. +## EntitlementDll + +Enter the path to the entitlement DLL used to make entitlement checks that verify that the device is entitled to use the Internet sharing service on a mobile operator's network. + +## EntitlementInterval + +Enter the time interval, in seconds, between entitlement checks. + +## EntitlementRequired + +Specify whether the device requires an entitlement check to determine if Internet sharing should be enabled. ## MaxBluetoothUsers diff --git a/windows/configuration/wcd/wcd-initialsetup.md b/windows/configuration/wcd/wcd-initialsetup.md index 59ca15a3aa..f75a6811ab 100644 --- a/windows/configuration/wcd/wcd-initialsetup.md +++ b/windows/configuration/wcd/wcd-initialsetup.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-internetexplorer.md b/windows/configuration/wcd/wcd-internetexplorer.md index 02987bcc9a..e9fe891193 100644 --- a/windows/configuration/wcd/wcd-internetexplorer.md +++ b/windows/configuration/wcd/wcd-internetexplorer.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md index d939f1c11f..c905f3ec39 100644 --- a/windows/configuration/wcd/wcd-licensing.md +++ b/windows/configuration/wcd/wcd-licensing.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md index 62fc500f1b..8bff1e1a34 100644 --- a/windows/configuration/wcd/wcd-maps.md +++ b/windows/configuration/wcd/wcd-maps.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # Maps (Windows Configuration Designer reference) @@ -18,9 +19,9 @@ Use for settings related to Maps. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [ChinaVariantWin10](#chinavariantwin10) | X | X | X | X | | -| [UseExternalStorage](#useexternalstorage) | X | X | X | X | | -| [UseSmallerCache](#usesmallercache) | X | X | X | X | | +| [ChinaVariantWin10](#chinavariantwin10) | X | X | X | | | +| [UseExternalStorage](#useexternalstorage) | X | X | X | | | +| [UseSmallerCache](#usesmallercache) | X | X | X | | | ## ChinaVariantWin10 diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md index 1e7444531d..b48bfa9e23 100644 --- a/windows/configuration/wcd/wcd-messaging.md +++ b/windows/configuration/wcd/wcd-messaging.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/21/2017 +ms.topic: article +ms.date: 04/30/2018 --- # Messaging (Windows Configuration Designer reference) @@ -42,6 +43,10 @@ When configured as **True**, you set a LIFO message order. When configured as ** Enable this setting to allow custom line setup dialogs in the Messaging app. +### ExtractPhoneNumbersInStrings" + +Set as **True** to tag any 5-or-more digit number as a tappable phone number. + ### ShowSendingStatus >[!NOTE] @@ -88,7 +93,7 @@ AllowMmsIfDataIsOffWhileRoaming | **True** allows MMS if data is off while roami ### AllowSelectAllContacts >[!NOTE] ->This setting is removed in Windows 10, version 1709. +>This setting is removed in Windows 10, version 1709, and later. Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks. @@ -144,6 +149,7 @@ CmasAMBERAlertEnabled | **True** enables the device to receive AMBER alerts CmasExtremeAlertEnabled | **True** enables the device to receive extreme alerts CmasSevereAlertEnabled | **True** enables the device to receive severe alerts EmOperatorEnabled | Select which Emergency Alerts Settings page is displayed from dropdown menu +EtwsSoundEnabled | Set to **True** to play Earthquake & Tsunami Warning System (ETWS) sound during alert. SevereAlertDependentOnExtremeAlert | When set as **True**, the CMAS-Extreme alert option must be on to modify CMAS-Severe alert option @@ -160,21 +166,29 @@ AutoRetryDownload | You can configure the messaging app to automatically retry d BroadcastChannels | You can specify one or more ports from which the device will accept cellular broadcast messages. Set the BroadcastChannels value to the port number(s) that can accept cellular broadcast messages. If you specify the same port that Windows 10 Mobile already recognizes as an Emergency Alert port (a CMAS or ETWS port number) and a cell broadcast message is received on that port, the user will only receive the message once. The message that is received will be displayed as an Emergency Alert message. ConvertLongSMStoMMS | For networks that do support MMS and do not support segmentation of SMS messages, you can specify an automatic switch from SMS to MMS for long messages. DefaultContentLocationUrl | For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification. Set DefaultContentLocationUrl to specify the default GET path within the MMSC. +EarthquakeMessageString | To override the Primary Earthquake default message, specify the EarthquakeMessageString setting value. This string will be used regardless of what language is set on the device. +EarthquakeTsunamiMessageString| To override the Primary Tsunami and Earthquake default message, specify the EarthquakeTsunamiMessageString setting value. This string will be used regardless of what language is set on the device. ErrorCodeEnabled | You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem. Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed. +EtwsSoundFileName | Set the value to the name of a sound file. HideMediumSIPopups | By default, when a service indication message is received with a signal-medium or signal-high setting, the phone interrupts and shows the user prompt for these messages. However, you can hide the user prompts for signal-medium messages. ImsiAuthenticationToken | Configure whether MMS messages include the IMSI in the GET and POST header. Set ImsiAuthenticationToken to the token used as the header for authentication. The string value should match the IMSI provided by the UICC. LimitRecipients | Set the maximum number of recipients to which a single SMS or MMS message can be sent. Enter a number between 1 and 500 to limit the maximum number of recipients. MaxRetryCount | You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent. Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3. MMSLimitAttachments | You can specify the maximum number of attachments for MMS messages, from 1 to 20. The default is 5. +NIInfoEnabled | NIInfoEnabled +ProxyAuthorizationToken | See [Proxy authorization for MMS.](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/proxy-authorization-for-mms) RetrySize | For MMS messages that have photo attachments and that fail to send, you can choose to automatically resize the photo and attempt to resend the message. Specify the maximum size to use to resize the photo in KB. Minimum is 0xA (10 KB). SetCacheControlNoTransform | When set, proxies and transcoders are instructed not to change the HTTP header and the content should not be modified. A value of 1 or 0x1 adds support for the HTTP header Cache-Control No-Transform directive. When the SetCacheControlNoTransform``Value is set to 0 or 0x0 or when the setting is not set, the default HTTP header Cache-Control No-Cache directive is used. ShowRequiredMonthlyTest | **True** enables devices to receive CMAS Required Monthly Test (RMT) messages and have these show up on the device. **False** disables devices from receiving CMAS RMT messages. +SIProtocols | Additional supported service indication protocol name. SmscPanelDisabled | **True** disables the short message service center (SMSC) panel. SMStoSMTPShortCode | Use to configure SMS messages to be sent to email addresses and phone numbers. `0` disables sending SMS messages to SMTP addresses. `1` enables sending SMS messages to SMTP addresses. TargetVideoFormat | You can specify the transcoding to use for video files sent as attachments in MMS messages. Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:

                  - 0 or 0x0 Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS.
                  - 1 or 0x1 Sets the transcoding to H.264 + AAC + 3GP.
                  - 2 or 0x2 Sets the transcoding to H.263 + AMR.NB + 3GP.
                  - 3 or 0x3 Sets the transcoding to MPEG4 + AMR.NB + 3GP. +TsunamiMessageString | To override the Primary Tsunami default message, specify the TsunamiMessageString setting value. This string will be used regardless of what language is set on the device. UAProf | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. There are two ways to correlate a user agent profile with a given phone:

                  - You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.
                  - Alternatively, you can directly set the URI of the user agent profile on the phone.

                  Set UAProf to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting UAProfToken to either `x-wap-profile` or `profile`. UAProfToken | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. UseDefaultAddress | By default, the MMS transport sends an acknowledgement to the provisioned MMS application server (MMSC). However, on some networks, the correct server to use is sent as a URL in the MMS message. In that case, a registry key must be set, or else the acknowledgement will not be received and the server will continue to send duplicate messages. **True** enables some networks to correctly acknowledge MMS messages. **False** disables the feature. +UseInsertAddressToken | Use insert address token or local raw address. UserAgentString | Set UserAgentString to the new user agent string for MMS in its entirely. By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone. UseUTF8ForUnspecifiedCharset | Some incoming MMS messages may not specify a character encoding. To properly decode MMS messages that do not specify a character encoding, you can set UTF-8 to decode the message. WapPushTechnology | For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values. `1` or `0x1` enables MMS messages to have some of their content truncated. `0` or `0x0` disables MMS messages from being truncated @@ -222,9 +236,14 @@ Set options for Rich Communications Services (RCS). | Setting | Description | | --- | --- | +RcsAllowLeaveClosedGroupChats | Whether or not to allow users to leave closed group chats. | RcsEnabled | Toggle to enable/disable RCS service. Set to **True** to enable. | | RcsFileTransferAutoAccept | Set to **True** to auto-accept RCS incoming file transfer if the file size is less than warning file size.| +RcsFiletransferAutoAcceptWhileRoaming | Auto-accept RCS incoming file transfer when the file size is less than the warning file size while roaming. +RcsGroupChatCreationMode | The mode used to create new RCS group chats. +RcsGroupChatCreationgThreadingMode | The mode used to thread newly created RCS group chats. | RcsSendReadReceipt | Set to **True** to send read receipt to the sender when a message is read. | +RcsTimeWindowsAfterSelfLeave | After RCS receives a self-left message, it will ignore messages during this time (in milliseconds), except self-join. | ShowRcsEnabled | Set to **True** to show the toggle for RCS activation. | @@ -262,6 +281,20 @@ Set TargetVideoFormat to one of the following values to configure the default tr | 3 or 0x3 | Sets the transcoding to MPEG4 + AMR.NB + 3GP. | +### TaiwanAlertOptions + +Set options for Taiwan Emergency Alerts system. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications#taiwan-alerts). + + +Setting | Description +--- | --- +TaiwanAlertEnabled | Receive Taiwan alerts. +TaiwanEmergencyAlertEnabled | Receive Taiwan emergency alerts. +TaiwanPresidentialAlertEnabled | Receive alerts from the Leader of the Taiwan Area. +TaiwanRequiredMonthlytestEnabled | Receive Taiwan Required Monthly Test alerts. + + + ### UAProf >[!NOTE] diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md index d9e44fcdec..7282a3f54d 100644 --- a/windows/configuration/wcd/wcd-modemconfigurations.md +++ b/windows/configuration/wcd/wcd-modemconfigurations.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/12/2017 --- diff --git a/windows/configuration/wcd/wcd-multivariant.md b/windows/configuration/wcd/wcd-multivariant.md index 040e99d17d..f5604d8c64 100644 --- a/windows/configuration/wcd/wcd-multivariant.md +++ b/windows/configuration/wcd/wcd-multivariant.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md index e14688c052..f48d289c4d 100644 --- a/windows/configuration/wcd/wcd-networkproxy.md +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md index a70fff2d1c..3f8d2822e2 100644 --- a/windows/configuration/wcd/wcd-networkqospolicy.md +++ b/windows/configuration/wcd/wcd-networkqospolicy.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-nfc.md b/windows/configuration/wcd/wcd-nfc.md index 46fd5e425a..3aebb6e738 100644 --- a/windows/configuration/wcd/wcd-nfc.md +++ b/windows/configuration/wcd/wcd-nfc.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index e875e3889c..35acf44bc2 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-otherassets.md b/windows/configuration/wcd/wcd-otherassets.md index 1a62876716..d26f543e2b 100644 --- a/windows/configuration/wcd/wcd-otherassets.md +++ b/windows/configuration/wcd/wcd-otherassets.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md index 375aeb8cd6..14a361651f 100644 --- a/windows/configuration/wcd/wcd-personalization.md +++ b/windows/configuration/wcd/wcd-personalization.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 25f5b58fc5..e533cd7b14 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 10/16/2017 +ms.topic: article +ms.date: 08/03/2018 --- # Policies (Windows Configuration Designer reference) @@ -26,7 +27,7 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | | [AllowAddingNonMicrosoftAccountManually](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | | -| [AllowMicrosoftAccountConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | | | +| [AllowMicrosoftAccountConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | X | | | [AllowMicrosoftAccountSigninAssistant](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | | | [DomainNamesForEmailSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | | @@ -48,7 +49,7 @@ This section describes the **Policies** settings that you can configure in [prov | [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X | | [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | | | [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | | -| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device (?) | | X | | | | +| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | | | [ApplicationRestrictions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | | | [RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | | | [RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | | @@ -77,53 +78,61 @@ This section describes the **Policies** settings that you can configure in [prov | [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X | | [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X | | [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | | X | -| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | | X | -| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | | X | | +| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | X | X | X | X | X | +| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X | +| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | X | X | | ## Browser | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | | [AllowAddressBarDropdown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | | -| [AllowAutofill](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | | | -| [AllowBrowser](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device. | | X | | | | -| [AllowCookies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | | | +| [AllowAutofill](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | X | | +| [AllowBrowser](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device. | X | | | | | +[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | | | | | +| [AllowCookies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | X | | | [AllowDeveloperTools](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | | -| [AllowDoNotTrack](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | | | +| [AllowDoNotTrack](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | X | | | [AllowExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | | | [AllowFlash](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | | | [AllowFlashClickToRun](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | | -| [AllowInPrivate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | | | +| [AllowInPrivate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | X | | | [AllowMicrosoftCompatibilityList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | | -| [AllowPasswordManager](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | | | -| [AllowPopups](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | | | +| [AllowPasswordManager](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | X | | +| [AllowPopups](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | X | | | [AllowSearchEngineCustomization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | | | | | -| [AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | | | -| [AllowSmartScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | | | +| [AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | X | | +| [AllowSmartScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | | +[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | | | | | | [ClearBrowsingDataOnExit](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | | | [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | | | [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | | +[EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | | | | | | [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | | | [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | | | [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | | X | | | | | [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | | +[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | | | | | | [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | | | [PreventFirstRunPage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | | | [PreventLiveTileDataCollection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | | | [PreventSmartScreenPromptOverride](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | | | [PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | | +PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. | X | | | | | | [PreventUsingLocalHostIPAddressForWebRTC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | | +[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | | | | | | [SendIntranetTraffictoInternetExplorer ](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | | | [SetDefaultSearchEngine](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | | -| [howMessageWhenOpeningSitesInInternetExplorer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | | +| [ShowMessageWhenOpeningSitesInInternetExplorer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | | | [SyncFavoritesBetweenIEAndMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | | +[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | | | | | ## Camera | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCamera](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | | | +| [AllowCamera](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | X | | ## Connectivity @@ -145,7 +154,7 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -[DisableAutomaticReDeploymentCredentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X | | | | | +[DisableAutomaticReDeploymentCredentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X | | | | | ## Cryptography @@ -218,15 +227,15 @@ This section describes the **Policies** settings that you can configure in [prov | --- | --- | :---: | :---: | :---: | :---: | :---: | | [AllowIdleReturnWithoutPassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | | | [AllowScreenTimeoutWhileLockedUserConfig](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | | -| [AllowSimpleDevicePassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | | | -|[AlphanumericDevicePasswordRequired](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | | | -| [DevicePasswordEnabled](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | | | -| [DevicePasswordExpiration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | | | -| [DevicePasswordHistory](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | | | -| [MaxDevicePasswordFailedAttempts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | | | -| [MaxInactivityTimeDeviceLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | | | -| [MinDevicePasswordComplexCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | | | -| [MinDevicePasswordLength](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | | | +| [AllowSimpleDevicePassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | X | | +|[AlphanumericDevicePasswordRequired](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | X | | +| [DevicePasswordEnabled](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | X | | +| [DevicePasswordExpiration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | X | | +| [DevicePasswordHistory](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | X | | +| [MaxDevicePasswordFailedAttempts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | X | | +| [MaxInactivityTimeDeviceLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | X | | +| [MinDevicePasswordComplexCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | X | | +| [MinDevicePasswordLength](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | X | | | [ScreenTimeoutWhileLocked](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | | @@ -243,10 +252,10 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | | [AllowCopyPaste](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | | -| [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | | | +| [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | X | | | [AllowDeviceDiscovery](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | | | [AllowFindMyDevice](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | | -| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | | | +| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | X | | | [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | | | [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | | | [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | | @@ -275,11 +284,33 @@ This section describes the **Policies** settings that you can configure in [prov | [AllowAdvancedGamingServices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | | +## KioskBrowser + +These settings apply to the **Kiosk Browser** app available in Microsoft Store. For more information, see [Guidelines for web browsers](https://docs.microsoft.com/windows/configuration/guidelines-for-assigned-access-app#guidelines-for-web-browsers). + +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X | | | | | +[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X | | | | | +[DefaultURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | X | | | | | +[EnableHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | X | | | | | +[EnableNavigationButtons](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X | | | | | +[RestartOnIdleTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | X | | | | | + +To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: + +1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. +2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). +4. Save the XML file. +5. Open the project again in Windows Configuration Designer. +6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. + ## Location | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | | +| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | | ## Privacy @@ -287,17 +318,19 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | | [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | | -| [AllowInputPersonalization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | | | +| [AllowInputPersonalization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | X | | ## Search | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | +[AllowCloudSearch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | X | X | | | | +[AllowCortanaInAAD](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | X | | | | | | [AllowIndexingEncryptedStoresOrItems](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | | -| [AllowSearchToUseLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | | | +| [AllowSearchToUseLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | X | | | [AllowUsingDiacritics](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | | -| AllowWindowsIndexer | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

                  - **Off** setting disables Windows indexer
                  - **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
                  - **Enterprise** setting reduces potential network loads for enterprises
                  - **Standard** setting is appropriate for consuemrs | X | X | | | | +| [AllowWindowsIndexer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

                  - **Off** setting disables Windows indexer
                  - **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
                  - **Enterprise** setting reduces potential network loads for enterprises
                  - **Standard** setting is appropriate for consuemrs | X | X | | | | | [AlwaysUseAutoLangDetection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | | | [DisableBackoff](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | | | [DisableRemovableDriveIndexing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | | @@ -311,12 +344,12 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | X | X | +| [AllowAddProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | | X | | [AllowManualRootCertificateInstallation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | | -| [AllowRemoveProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | X | X | +| [AllowRemoveProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | | X | | [AntiTheftMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | | | [RequireDeviceEncryption](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X | -| [RequireProvisioningPackageSignature](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | X | X | +| [RequireProvisioningPackageSignature](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | | X | | [RequireRetrieveHealthCertificateOnBoot](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | | ## Settings @@ -325,7 +358,7 @@ This section describes the **Policies** settings that you can configure in [prov | --- | --- | :---: | :---: | :---: | :---: | :---: | | [AllowAutoPlay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | | | [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | | -| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | | | +| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | X | | | [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | | [PageVisiblityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | X | | | | | @@ -343,6 +376,7 @@ This section describes the **Policies** settings that you can configure in [prov | [AllowPinnedFolderPictures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | | | [AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | X | | | | | | [AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | X | | | | | +DisableContextMenus | Prevent context menus from being invoked in the Start menu. | X | | | | | | [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | | | [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | | | [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | | @@ -368,12 +402,14 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | | [AllowBuildPreview](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | | -| [AllowEmbeddedMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | X | X | +| [AllowEmbeddedMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | | X | | [AllowExperimentation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | | | [AllowLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X | -| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | X | X | -| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | | | +| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | | X | +| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | X | | | [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | | +ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | X | X | | | | +ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | X | X | | | | | [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | | | [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | | @@ -408,28 +444,28 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X | -| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | X | X | -| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | X | X | -| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | -| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | X | X | +| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X | +| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X | +| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X | +| [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | +| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X | | [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | -| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | X | X | +| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X | | [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X | -| [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | X | -| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | X | X | -| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | X | X | +| [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X | +| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X | +| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X | | [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X | -| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | X | X | -| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | X | X | +| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X | +| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X | | [DeferUpdatePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X | | [DeferUpgradePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) |Specify upgrade delays for up to 8 months. | X | X | X | X | X | | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X | -| [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | X | X | -| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | X | X | -| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | X | X | -| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | X | X | -| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | X | X | +| [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | | X | +| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | +| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | +| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | +| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X | | ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X | | PhoneUpdateRestrictions | Deprecated | | X | | | | | [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X | @@ -440,10 +476,10 @@ This section describes the **Policies** settings that you can configure in [prov | [ScheduledInstallSecondWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X | | [ScheduledInstallThirdWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X | | [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X | -| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | X | X || -| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | X | X | -| [SetAutoRestartNotificationDisable](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | X | X | -| [SetEDURestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | X | X | +| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X || +| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X | +| [SetAutoRestartNotificationDisable](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X | +| [SetEDURestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X | | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X | | [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X | diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 6cb6f9afbf..0f63fc68e7 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -7,12 +7,13 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- # ProvisioningCommands (Windows Configuration Designer reference) -Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package. +Use ProvisioningCommands settings to install Windows desktop applications using a provisioning package. ## Applies to diff --git a/windows/configuration/wcd/wcd-rcspresence.md b/windows/configuration/wcd/wcd-rcspresence.md new file mode 100644 index 0000000000..ece81a2a9a --- /dev/null +++ b/windows/configuration/wcd/wcd-rcspresence.md @@ -0,0 +1,30 @@ +--- +title: RcsPresence (Windows 10) +description: This section describes the RcsPresence settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 04/30/2018 +--- + +# RcsPresence (Windows Configuration Designer reference) + +Use these settings to configure RcsPresence. + +## Applies to + +| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | X | | | | + +Setting | Description +--- | --- +BypassvideoCapabilities | Do not use. +MaxWaitForCapabilitiesRequestInSeconds | Maximum number of seconds to wait for a Capabilities Request to complete. +MinAvailabilityCacheInSeconds | Number of seconds to cache result of Capabilities Request per each number, to avoid excessive network requests. + + diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index 91e6bc382b..8cc91e3ca4 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 10/16/2017 --- @@ -14,6 +15,8 @@ ms.date: 10/16/2017 Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. + + ## Applies to | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | diff --git a/windows/configuration/wcd/wcd-shell.md b/windows/configuration/wcd/wcd-shell.md index c235c4d8e1..e1ba0a5685 100644 --- a/windows/configuration/wcd/wcd-shell.md +++ b/windows/configuration/wcd/wcd-shell.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index fdc91f9f6c..a9e588a6f8 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 03/30/2018 --- @@ -92,7 +93,7 @@ When you **enable** KeyboardFilter, a number of other settings become available ## ShellLauncher settings -Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). +Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Windows desktop application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). >[!WARNING] >Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index 97c6af5208..904711ae31 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- @@ -26,7 +27,10 @@ Use Start settings to apply a customized Start screen to devices. ## StartLayout -Use StartLayout to select the LayoutModification.xml file that applies a customized Start screen to a device. +Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen to a mobile device. + +>[!NOTE] +>The XML file that defines the Start layout for Windows 10 Mobile must be named `LayoutModification.xml`. For more information, see [Start layout XML for mobile editions of Windows 10 ](../mobile-devices/lockdown-xml.md)). diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md index 510db01214..79d6d0234d 100644 --- a/windows/configuration/wcd/wcd-startupapp.md +++ b/windows/configuration/wcd/wcd-startupapp.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md index 8ebd2c7d1b..7288d82979 100644 --- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md +++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md index 08a7ebf56f..0b2df57999 100644 --- a/windows/configuration/wcd/wcd-surfacehubmanagement.md +++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md index fa5f2811ac..3eb2ee43c6 100644 --- a/windows/configuration/wcd/wcd-tabletmode.md +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # TabletMode (Windows Configuration Designer reference) @@ -18,7 +19,7 @@ Use TabletMode to configure settings related to tablet mode. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| All settings | X | X | X | X | X | +| All settings | X | X | X | | X | ## ConvertibleSlateModePromptPreference diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md index ebcde22c71..e03db6ddda 100644 --- a/windows/configuration/wcd/wcd-takeatest.md +++ b/windows/configuration/wcd/wcd-takeatest.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-textinput.md b/windows/configuration/wcd/wcd-textinput.md index f37bea8555..505962070a 100644 --- a/windows/configuration/wcd/wcd-textinput.md +++ b/windows/configuration/wcd/wcd-textinput.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/15/2017 --- diff --git a/windows/configuration/wcd/wcd-theme.md b/windows/configuration/wcd/wcd-theme.md index d916af1dba..8c35de922d 100644 --- a/windows/configuration/wcd/wcd-theme.md +++ b/windows/configuration/wcd/wcd-theme.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index d8fb020e8a..9102c70cbe 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/06/2017 --- diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index a18abf5f59..9a9127182d 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 10/09/2017 +ms.topic: article +ms.date: 04/30/2018 --- # UniversalAppInstall (reference) diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md index 5b860d2185..0d99231dba 100644 --- a/windows/configuration/wcd/wcd-universalappuninstall.md +++ b/windows/configuration/wcd/wcd-universalappuninstall.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/14/2017 --- @@ -21,7 +22,7 @@ Use UniversalAppUninstall settings to uninstall or remove Windows apps. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | | [RemoveProvisionedApp](#removeprovisionedapp) | X | | | | | -| [Uninstall](#uninstall) | X | X | X | X | X | +| [Uninstall](#uninstall) | X | X | X | | X | ## RemoveProvisionedApp diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md index cd08ba4359..d59c223809 100644 --- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md +++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md @@ -7,6 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker +ms.topic: article ms.date: 09/14/2017 --- diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md index 04bb9e13f5..19ec5a2ffd 100644 --- a/windows/configuration/wcd/wcd-weakcharger.md +++ b/windows/configuration/wcd/wcd-weakcharger.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # WeakCharger (reference) @@ -20,8 +21,8 @@ Use WeakCharger settings to configure the charger notification UI. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | X | X | X | X | | -| [NotifyOnWeakCharger](#notifyonweakcharger) | X | X | X | X | | +| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | X | X | X | | | +| [NotifyOnWeakCharger](#notifyonweakcharger) | X | X | X | | | ## HideWeakChargerNotifyOptionUI diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md new file mode 100644 index 0000000000..0a2c9c16eb --- /dev/null +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -0,0 +1,33 @@ +--- +title: WindowsHelloForBusiness (Windows 10) +description: This section describes the Windows Hello for Business settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 07/19/2018 +--- + +# WindowsHelloForBusiness (Windows Configuration Designer reference) + +>[!WARNING] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md). + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [SecurityKeys](#securitykeys) | X | | | | | + +## SecurityKeys + +Select the desired value: + +- `0`: security keys for Windows Hello are disabled. +- `1`: security keys for Windows Hello are enabled on [Shared PCs](wcd-sharedpc.md). diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md index 2cdf863196..038fb15ffa 100644 --- a/windows/configuration/wcd/wcd-windowsteamsettings.md +++ b/windows/configuration/wcd/wcd-windowsteamsettings.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # WindowsTeamSettings (reference) @@ -48,6 +49,11 @@ A device account is a Microsoft Exchange account that is connected with Skype fo | UserPrincipalName | User principal name (UPN) | To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. | | ValidateAndCommit | Any text | Validates the data provided and then commits the changes. This process occurs automatically after the other DeviceAccount settings are applied. The text you enter for the ValidateAndCommit setting doesn't matter. | +## Dot3 + +Use these settings to configure 802.1x wired authentication. For details, see [Enable 802.1x wired authentication](https://docs.microsoft.com/surface-hub/enable-8021x-wired-authentication). + + ## FriendlyName diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index f584777f6d..546e98f694 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # WLAN (reference) @@ -20,5 +21,5 @@ Do not use at this time. Instead, use [ConnectivityProfiles > WLAN](wcd-connecti | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | | X | | +| All settings | | | | | | diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md index 553b4f2688..c61d5cc3d3 100644 --- a/windows/configuration/wcd/wcd-workplace.md +++ b/windows/configuration/wcd/wcd-workplace.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.topic: article +ms.date: 04/30/2018 --- # Workplace (reference) @@ -19,7 +20,7 @@ Use Workplace settings to configure bulk user enrollment to a mobile device mana | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [Enrollments](#enrollments) | X | X | X | X | X | +| [Enrollments](#enrollments) | X | X | X | | X | ## Enrollments @@ -31,7 +32,7 @@ Select **Enrollments**, enter a UPN, and then click **Add** to configure the set | DiscoveryServiceFullUrl | URL | The full URL for the discovery service | | EnrollmentServiceFullUrl | URL | The full URL for the enrollment service | | PolicyServiceFullUrl | URL | The full URL for the policy service | -| Secret | - Password string for on-premise authentication enrollment
                  - Federated security token for federated enrollment
                  - Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy | +| Secret | - Password string for on-premises authentication enrollment
                  - Federated security token for federated enrollment
                  - Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy | ## Related topics diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index a3d503fd08..57c84d177d 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -7,7 +7,8 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 10/09/2017 +ms.topic: article +ms.date: 07/19/2018 --- # Windows Configuration Designer provisioning settings (reference) @@ -18,6 +19,7 @@ This section describes the settings that you can configure in [provisioning pack | Setting group | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | +[AccountManagement](wcd-accountmanagement.md) | | | | X | | | [Accounts](wcd-accounts.md) | X | X | X | X | X | | [ADMXIngestion](wcd-admxingestion.md) | X | | | | | | [ApplicationManagement](wcd-applicationmanagement.md) | | | | | X | @@ -60,6 +62,7 @@ This section describes the settings that you can configure in [provisioning pack | [Personalization](wcd-personalization.md) | X | | | | | | [Policies](wcd-policies.md) | X | X | X | X | X | | [ProvisioningCommands](wcd-provisioningcommands.md) | X | | | | | +[RcsPresence](wcd-rcspresence.md) | | X | | | | | [SharedPC](wcd-sharedpc.md) | X | | | | | | [Shell](wcd-shell.md) | | X | | | | | [SMISettings](wcd-smisettings.md) | X | | | | | @@ -71,10 +74,11 @@ This section describes the settings that you can configure in [provisioning pack | [TakeATest](wcd-takeatest.md) | X | | | | | | [TextInput](wcd-textinput.md) | | X | | | | | [Theme](wcd-theme.md) | | X | | | | -| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | | +| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | X | | [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X | | [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | X | X | | [WeakCharger](wcd-weakcharger.md) |X | X | X | X | | +| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | X | | | | | | [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | | | [WLAN](wcd-wlan.md) | | | | X | | | [Workplace](wcd-workplace.md) |X | X | X | X | X | diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index 62dae40b01..cfce2db48a 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -1,11 +1,13 @@ --- title: Windows 10 accessibility information for IT Pros (Windows 10) -description: +description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them +keywords: accessibility, settings, vision, hearing, physical, cognition, assistive ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +ms.author: jaimeo author: jaimeo -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 01/12/2018 --- diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 615d0cdf01..54b19bb5d6 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -7,8 +7,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms -ms.localizationpriority: high -ms.date: 10/31/2017 +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 06/19/2018 --- # Manage Windows 10 Start and taskbar layout @@ -27,7 +29,9 @@ Organizations might want to deploy a customized Start and taskbar configuration > >Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703. > ->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). +>For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). +> +>Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) @@ -47,7 +51,7 @@ The following table lists the different parts of Start and any applicable policy | User tile | MDM: **Start/HideUserTile**
                  **Start/HideSwitchAccount**
                  **Start/HideSignOut**
                  **Start/HideLock**
                  **Start/HideChangeAccountSettings**

                  Group Policy: **Remove Logoff on the Start menu** | none | | Most used | MDM: **Start/HideFrequentlyUsedApps**

                  Group Policy: **Remove frequent programs from the Start menu** | **Settings** > **Personalization** > **Start** > **Show most used apps** | | Suggestions
                  -and-
                  Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**

                  Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences**

                  **Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** > **Personalization** > **Start** > **Occasionally show suggestions in Start** | -| Recently added | MDM: **Start/HideRecentlyAddedApps** | **Settings** > **Personalization** > **Start** > **Show recently added apps** | +| Recently added | MDM: **Start/HideRecentlyAddedApps**
                  Group Policy: **Computer configuration**\\**Administrative Template**\\**Start Menu and Taskbar**\\**Remove "Recently Added" list from Start Menu** (for Windows 10, version 1803) | **Settings** > **Personalization** > **Start** > **Show recently added apps** | | Pinned folders | MDM: **AllowPinnedFolder** | **Settings** > **Personalization** > **Start** > **Choose which folders appear on Start** | | Power | MDM: **Start/HidePowerButton**
                  **Start/HideHibernate**
                  **Start/HideRestart**
                  **Start/HideShutDown**
                  **Start/HideSleep**

                  Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none | | Start layout | MDM: **Start layout**
                  **ImportEdgeAssets**

                  Group Policy: **Prevent users from customizing their Start screen**

                  **Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

                  **Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none | @@ -107,6 +111,16 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a [Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md). +## Start layout configuration errors + +If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events: + +- **Event 22** is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format. +- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood or source is not found such as a missing or misspelled .lnk. + + + + ## Related topics diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 6e1b327c7d..09a31768aa 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -7,8 +7,10 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library author: jdeckerms -ms.localizationpriority: high -ms.date: 01/26/2018 +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 04/30/2018 --- # Configure Windows Spotlight on the lock screen @@ -64,6 +66,8 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo | **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | | **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | | **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | +**User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | + In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 4c793ea5fb..80adf12056 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -19,10 +19,9 @@ ## [Deploy Windows 10](deploy.md) -### [Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md) - +### [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) +### [Windows 10 in S mode](windows-10-pro-in-s-mode.md) ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) -#### [Windows 10 downgrade paths](upgrade/windows-10-downgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) ### [Windows 10 volume license media](windows-10-media.md) @@ -213,6 +212,7 @@ ## [Update Windows 10](update/index.md) ### [Quick guide to Windows as a service](update/waas-quick-start.md) +#### [Servicing stack updates](update/servicing-stack-updates.md) ### [Overview of Windows as a service](update/waas-overview.md) ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) @@ -220,6 +220,10 @@ ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) +### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) +#### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) +#### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) +#### [Conclusion](update/feature-update-conclusion.md) ### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) ### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) #### [Configure Windows Update for Business](update/waas-configure-wufb.md) @@ -231,10 +235,6 @@ ### [Manage device restarts after updates](update/waas-restart.md) ### [Manage additional Windows Update settings](update/waas-wu-settings.md) ### [Determine the source of Windows updates](update/windows-update-sources.md) -### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) -#### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md) -#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) -#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md) ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md) ## [Windows Analytics](update/windows-analytics-overview.md) @@ -250,6 +250,7 @@ ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md) ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md) +##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md) ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) #### [Get started with Update Compliance](update/update-compliance-get-started.md) #### [Use Update Compliance](update/update-compliance-using.md) diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md index 941c15911e..a785de935e 100644 --- a/windows/deployment/Windows-AutoPilot-EULA-note.md +++ b/windows/deployment/Windows-AutoPilot-EULA-note.md @@ -1,11 +1,11 @@ --- title: Windows Autopilot EULA dismissal – important information -description: A notice about EULA dismissal through Windows AutoPilot +description: A notice about EULA dismissal through Windows Autopilot ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: mayam ms.date: 08/22/2017 ROBOTS: noindex,nofollow diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index d1d2c2298e..7cd746c7c7 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -4,7 +4,7 @@ description: This topic describes how to add Microsoft Store for Business applic keywords: upgrade, update, windows, windows 10, deploy, store, image, wim ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: DaniHalfin diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md index f189dd0f7c..08d10e29c7 100644 --- a/windows/deployment/change-history-for-deploy-windows-10.md +++ b/windows/deployment/change-history-for-deploy-windows-10.md @@ -38,7 +38,7 @@ New or changed topic | Description ## June 2017 | New or changed topic | Description | |----------------------|-------------| -| [Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md) | New | +| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New | ## April 2017 | New or changed topic | Description | diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 2a11c18c46..c7de8c5957 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -4,7 +4,7 @@ description: This topic describes how to configure a PXE server to load Windows keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: greg-lindsay diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 55b47713be..f2c43e0b7a 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -4,10 +4,10 @@ description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enter keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy -localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -ms.date: 10/18/2017 +ms.date: 05/25/2018 author: greg-lindsay --- @@ -15,8 +15,20 @@ author: greg-lindsay This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). ->Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
                  +>[!NOTE] +>Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
                  >Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
                  +>Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key.
                  + +## Firmware-embedded activation key + +To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt + +``` +(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey +``` + +If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. ## Enabling Subscription Activation with an existing EA @@ -82,7 +94,7 @@ The following methods are available to assign licenses: ## Explore the upgrade experience -Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices? +Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices? ### Step 1: Join Windows 10 Pro devices to Azure AD @@ -135,15 +147,17 @@ Now the device is Azure AD joined to the company’s subscription. Now the device is Azure AD joined to the company’s subscription. -### Step 2: Verify that Pro edition is activated +### Step 2: Pro edition activation -Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. +>[!IMPORTANT] +>If the device is running Windows 10, version 1803 or later, this step is no longer necessary when there is a firmware-embedded activation key on the device. Starting with Windows 10, version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
                  +>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**. Windows 10 Pro activated
                  **Figure 7a - Windows 10 Pro activation in Settings**
                  -Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled. +Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). ### Step 3: Sign in using Azure AD account @@ -176,7 +190,7 @@ Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscr In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows: -- The existing Windows 10 Pro, version 1703 operating system is not activated. +- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later. - The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed. @@ -226,4 +240,4 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct A popup window will display the Windows 10 version number and detailed OS build information. - If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. \ No newline at end of file + If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index 2fbc7cfda4..ded250b312 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, mdt, sccm, M365 -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/23/2018 author: greg-lindsay --- @@ -23,7 +23,7 @@ This topic provides a brief overview of Microsoft 365 and describes how to use a For Windows 10 deployment, Microsoft 365 includes a fantasic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: -- Windows AutoPilot +- Windows Autopilot - In-place upgrade - Deploying Windows 10 upgrade with Intune - Deploying Windows 10 upgrade with System Center Configuration Manager diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index ae7ed25a99..8cde17231e 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -3,7 +3,7 @@ title: What's new in Windows 10 deployment description: Changes and new features related to Windows 10 deployment keywords: deployment, automate, tools, configure, news ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy @@ -36,11 +36,11 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris ## Deployment solutions and tools -### Windows AutoPilot +### Windows Autopilot -Windows AutoPilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows AutoPilot to reset, repurpose and recover devices. +Windows Autopilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. -Windows AutoPilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md). +Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md). ### Upgrade Readiness diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md index 4a743e6537..9847ffdb4c 100644 --- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md @@ -5,10 +5,10 @@ ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7 keywords: settings, database, deploy ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index a32404e3da..74fe0ef00d 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -5,10 +5,10 @@ ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c keywords: replication, replicate, deploy, configure, remote ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 25636437d5..4613b4654e 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -5,10 +5,10 @@ ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b keywords: rules, configuration, automate, deploy ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md index 1d3d9e51d3..6c1a0b4c2b 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md @@ -5,10 +5,10 @@ ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7 keywords: rules, script ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index 3e966ca9c1..e55f00f343 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -5,10 +5,10 @@ ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 keywords: customize, customization, deploy, features, tools ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md index 522071bd52..7afd5d0100 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -5,10 +5,10 @@ ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 keywords: deploy, upgrade, task sequence, install ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: mdt ms.sitesec: library -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 626dd39323..3e14e9d06e 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -5,7 +5,7 @@ ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa keywords: deploy, deployment, configure, customize, install, installation ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt author: greg-lindsay diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index d3ae97f74b..4702f27f80 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -5,10 +5,10 @@ ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c keywords: deployment, automate, tools, configure ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 10/16/2017 --- @@ -634,7 +634,7 @@ Follow these steps to create a bootable USB stick from the offline media content ## Unified Extensible Firmware Interface (UEFI)-based deployments -As referenced in [Windows 10 deployment tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UFEI. +As referenced in [Windows 10 deployment tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI. ![figure 14](../images/mdt-07-fig16.png) diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index 5a03190d0c..ead86741f5 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -5,9 +5,9 @@ ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb keywords: deploy, tools, configure, script ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus +author: greg-lindsay ms.pagetype: mdt ms.date: 10/16/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index ecaf35658c..f1916dac85 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -5,10 +5,10 @@ ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee keywords: deploy, image, feature, install, tools ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md index 06d29a04b6..2b1134f4f4 100644 --- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md @@ -5,10 +5,10 @@ ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5 ms.pagetype: mdt keywords: deploy, image, customize, task sequence ms.prod: w10 -ms.localizationpriority: high +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md index 9e5135e314..ed7ddad986 100644 --- a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md @@ -5,10 +5,10 @@ ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868 keywords: deploy, feature, tools, upgrade, migrate, provisioning ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md index 6222b6f030..6338e8cc72 100644 --- a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md +++ b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md @@ -5,10 +5,10 @@ ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089 keywords: deploy, install, deployment, boot, log, monitor ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 8b683b7980..7ef19268fd 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -5,10 +5,10 @@ ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 keywords: deploy, system requirements ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index cf0457a3f4..8a6dc1f6f9 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -5,10 +5,10 @@ ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f keywords: reinstallation, customize, template, script, restore ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index 974dd2dd1a..a6c42ca4b4 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -5,10 +5,10 @@ ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a keywords: deploy, deployment, replace ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 889d6c2585..6b826df394 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -5,10 +5,10 @@ description: keywords: disk, encryption, TPM, configure, secure, script ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index 7729c54618..88c9fa4845 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -5,10 +5,10 @@ ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c keywords: deploy, script ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md index a0a50f8ebc..a45ba94242 100644 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md @@ -5,10 +5,10 @@ ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f keywords: web services, database ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- @@ -169,7 +169,6 @@ Figure 32. The ready-made task sequence. [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) [Use web services in MDT](use-web-services-in-mdt.md) diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 00b6ccc992..cc70fc97bd 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -6,9 +6,9 @@ ms.pagetype: mdt keywords: database, permissions, settings, configure, deploy ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index 2e184f00e8..34b293060a 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -5,10 +5,10 @@ ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 keywords: deploy, web apps ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.pagetype: mdt ms.sitesec: library -author: mtniehaus +author: greg-lindsay ms.date: 07/27/2017 --- diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 7ff329f908..4709a89520 100644 --- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -5,7 +5,7 @@ ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b keywords: image, deploy, distribute ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: mtniehaus ms.date: 07/27/2017 diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 00a014c189..fb0564fa07 100644 --- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -4,7 +4,7 @@ description: In this topic, you will learn how to configure the Windows Preinsta ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c keywords: deploy, task sequence ms.prod: w10 -ms.localizationpriority: high +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 65be93e28c..fbae53450a 100644 --- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -5,7 +5,7 @@ ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 keywords: tool, customize, deploy, boot image ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: mtniehaus ms.date: 07/27/2017 diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 2bd2807d8b..84cb6aa51b 100644 --- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -4,7 +4,7 @@ description: Microsoft System Center 2012 R2 Configuration Manager supports depl ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c keywords: deployment, task sequence, custom, customize ms.prod: w10 -ms.localizationpriority: high +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md index 9e891e7b54..3a76b241e6 100644 --- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -5,7 +5,7 @@ ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa keywords: deployment, image, UEFI, task sequence ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: mtniehaus ms.date: 07/27/2017 diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index a60eef6027..b326586cf3 100644 --- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -4,7 +4,7 @@ description: If you have Microsoft System Center 2012 R2 Configuration Manager ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363 keywords: deployment, custom, boot ms.prod: w10 -ms.localizationpriority: high +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 17e8b49555..287279e92d 100644 --- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -4,7 +4,7 @@ description: This topic walks you through the steps to finalize the configuratio ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e keywords: configure, deploy, upgrade ms.prod: w10 -ms.localizationpriority: high +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md index 682e8df37a..1f96c78273 100644 --- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md @@ -5,7 +5,7 @@ ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce keywords: deploy, upgrade ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: mtniehaus ms.date: 07/27/2017 diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index f9e56afc51..21491d5029 100644 --- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -4,7 +4,7 @@ description: This topic will walk you through the process of integrating Microso ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08 keywords: install, configure, deploy, deployment ms.prod: w10 -ms.localizationpriority: high +ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library author: mtniehaus diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 1634b4cb97..92ef33ca52 100644 --- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -5,7 +5,7 @@ ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 keywords: upgrade, install, installation, computer refresh ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: mtniehaus ms.date: 07/27/2017 diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 3168bbcccf..0ebf3c3fc2 100644 --- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -5,7 +5,7 @@ ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 keywords: upgrade, install, installation, replace computer, setup ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: mtniehaus ms.date: 07/27/2017 @@ -22,7 +22,7 @@ ms.date: 07/27/2017 >For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). >Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). -In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10. +In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10. For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 2040ebf2d1..a38657a7be 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -5,7 +5,7 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 11/02/2017 author: greg-lindsay --- @@ -17,7 +17,7 @@ Windows 10 upgrade options are discussed and information is provided about plann |Topic |Description | |------|------------| -|[Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md) |This topic provides an overview of Windows AutoPilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | +|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. | |[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. | |[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. | |[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. | diff --git a/windows/deployment/images/AV-status-by-computer.png b/windows/deployment/images/AV-status-by-computer.png new file mode 100644 index 0000000000..bfae9a3a44 Binary files /dev/null and b/windows/deployment/images/AV-status-by-computer.png differ diff --git a/windows/deployment/images/download.png b/windows/deployment/images/download.png new file mode 100644 index 0000000000..266a2a196b Binary files /dev/null and b/windows/deployment/images/download.png differ diff --git a/windows/deployment/images/spectre-meltdown-prod-closeup.png b/windows/deployment/images/spectre-meltdown-prod-closeup.png new file mode 100644 index 0000000000..c873521feb Binary files /dev/null and b/windows/deployment/images/spectre-meltdown-prod-closeup.png differ diff --git a/windows/deployment/images/win-security-update-status-by-computer.png b/windows/deployment/images/win-security-update-status-by-computer.png new file mode 100644 index 0000000000..720ae898be Binary files /dev/null and b/windows/deployment/images/win-security-update-status-by-computer.png differ diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 04a15dea0b..ab31e498e1 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -59,7 +59,7 @@ sections: Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
                   
                  - + diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 8e67035c39..179fd14236 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.date: 02/13/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # MBR2GPT.EXE @@ -25,7 +25,7 @@ ms.localizationpriority: high See the following video for a detailed description and demonstration of MBR2GPT. - + You can use MBR2GPT to: diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md index dc0ea6b496..2281ce8859 100644 --- a/windows/deployment/planning/index.md +++ b/windows/deployment/planning/index.md @@ -6,7 +6,7 @@ keywords: deploy, upgrade, update, configure ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium author: TrudyHa ms.date: 07/27/2017 --- diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md index ac2656939b..d3f6b8dab2 100644 --- a/windows/deployment/planning/windows-10-1803-removed-features.md +++ b/windows/deployment/planning/windows-10-1803-removed-features.md @@ -3,11 +3,11 @@ title: Windows 10, version 1803 - Features that have been removed description: Learn about features that will be removed or deprecated in Windows 10, version 1803, or a future release ms.prod: w10 ms.mktglfcycl: plan -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: lizap ms.author: elizapo -ms.date: 04/27/2018 +ms.date: 06/01/2018 --- # Features removed or planned for replacement starting with Windows 10, version 1803 @@ -32,8 +32,7 @@ We've removed the following features and functionalities from the installed prod |Language control in the Control Panel| Use the Settings app to change your language settings.| |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

                  When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

                  Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
                  - [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
                  - [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| -|**Conversations** in the People app when you're offline or if you're using a non-Office 365 mail account|In Windows 10, the People app shows mail from Office 365 contacts and contacts from your school or work organization under **Conversations**. After you update to Windows 10, version 1803, in order to see new mail in the People app from these specific contacts, you need to be online, and you need to have signed in with either an Office 365 account or, for work or school organization accounts, through the [Mail](https://support.microsoft.com/help/17198/windows-10-set-up-email), [People](https://support.microsoft.com/help/14103/windows-people-app-help), or [Calendar](https://support.office.com/article/Mail-and-Calendar-for-Windows-10-FAQ-4ebe0864-260f-4d3a-a607-7b9899a98edc) apps. Please be aware that you’ll only see mail for work and school organization accounts and some Office 365 accounts.| -|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

                  However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it. +|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

                  However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| ## Features we’re no longer developing @@ -49,4 +48,5 @@ If you have feedback about the proposed replacement of any of these features, yo |Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| |Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| |IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| - +|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. Installed Layered Service Providers are not migrated when you upgrade to Windows 10, version 1803; you'll need to re-install them after upgrading.| +|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md index 4323a49d9e..23adaa809b 100644 --- a/windows/deployment/planning/windows-10-compatibility.md +++ b/windows/deployment/planning/windows-10-compatibility.md @@ -6,7 +6,7 @@ keywords: deploy, upgrade, update, appcompat ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: appcompat -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: mtniehaus ms.date: 07/27/2017 diff --git a/windows/deployment/planning/windows-10-creators-update-deprecation.md b/windows/deployment/planning/windows-10-creators-update-deprecation.md index b6bacd19d6..4103a10d65 100644 --- a/windows/deployment/planning/windows-10-creators-update-deprecation.md +++ b/windows/deployment/planning/windows-10-creators-update-deprecation.md @@ -3,7 +3,7 @@ title: Windows 10 Creators Update Deprecated Features description: Learn about features that were removed in Windows 10 Creators Update (version 1703) ms.prod: w10 ms.mktglfcycl: plan -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: lizap ms.date: 10/09/2017 diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index 807aab48d4..07622a5fb6 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -4,7 +4,7 @@ description: There are new deployment options in Windows 10 that help you simpl ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE keywords: deploy, upgrade, update, in-place ms.prod: w10 -ms.localizationpriority: high +ms.localizationpriority: medium ms.mktglfcycl: plan ms.sitesec: library author: mtniehaus diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index 6780c3b222..d7cda9357a 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -4,7 +4,7 @@ description: Get answers to common questions around compatibility, installation, keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing channels, deployment tools ms.prod: w10 ms.mktglfcycl: plan -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: ms.date: 08/18/2017 diff --git a/windows/deployment/planning/windows-10-fall-creators-deprecation.md b/windows/deployment/planning/windows-10-fall-creators-deprecation.md index 48e83441d1..09045724dc 100644 --- a/windows/deployment/planning/windows-10-fall-creators-deprecation.md +++ b/windows/deployment/planning/windows-10-fall-creators-deprecation.md @@ -3,7 +3,7 @@ title: Windows 10 Fall Creators Update Deprecated Features description: Learn about features that will be removed in Windows 10 Fall Creators Update (version 1709) ms.prod: w10 ms.mktglfcycl: plan -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: lizap ms.date: 10/09/2017 diff --git a/windows/deployment/planning/windows-10-fall-creators-removed-features.md b/windows/deployment/planning/windows-10-fall-creators-removed-features.md index 6cdc748b94..9c04fcece6 100644 --- a/windows/deployment/planning/windows-10-fall-creators-removed-features.md +++ b/windows/deployment/planning/windows-10-fall-creators-removed-features.md @@ -3,7 +3,7 @@ title: Windows 10 Fall Creators Update - Features removed or planned for removal description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future? ms.prod: w10 ms.mktglfcycl: plan -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: lizap ms.date: 10/09/2017 diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index f264840e05..83acd30a15 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -5,7 +5,7 @@ ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 keywords: deploy, upgrade, update, hardware ms.prod: w10 ms.mktglfcycl: plan -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library author: mtniehaus ms.date: 07/27/2017 diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index 71ff1f9db8..bfadedc7cd 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -126,7 +126,7 @@ Windows To Go can be deployed using standard Windows deployment tools like Diskp - A Windows 10 Enterprise or Windows 10 Education image -- A Windows 10 Enterprise or Windows 10 Education host PC that can be used to provision new USB keys +- A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. @@ -153,7 +153,7 @@ Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows ## Can the user self-provision Windows To Go? -Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise and Windows 10 Education. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). +Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). ## How can Windows To Go be managed in an organization? diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 08b8659f6e..8fb982cfe7 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -1,11 +1,12 @@ --- title: Introduction to the Windows Insider Program for Business description: Introduction to the Windows Insider Program for Business and why IT Pros should join it +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jaimeo -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: jaimeo ms.date: 03/01/2018 --- diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 4a72395427..c32997aca0 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -5,9 +5,11 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 03/20/2018 +ms.date: 06/12/2018 ms.pagetype: deploy author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium --- # Get started with Device Health @@ -22,13 +24,16 @@ Steps are provided in sections that follow the recommended setup process: -## Add Device Health to Microsoft Operations Management Suite +## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics -Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). -**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. +**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. -**If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health: +>[!NOTE] +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=DeviceHealthProd) to go directly to the Device Health solution and add it to your workspace. + +**If you are not yet using Windows Analytics or Azure Log Analytics**, follow these steps to subscribe: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png) @@ -50,11 +55,11 @@ Device Health is offered as a solution in the Microsoft Operations Management Su [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png) -6. To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. +6. To add Update Readiness to your workspace, go to the Solution Gallery, Select the **Update Readiness** tile and then select **Add** on the solution's detail page. [![Windows Analytics details page in Solutions Gallery](images/solution-bundle.png)](images/solution-bundle.png) -7. Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added. +7. Click the **Update Readiness** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added. [![OMS Settings Dashboard showing Device Health and Upgrade Readiness tiles](images/OMS-after-adding-solution.jpg)](images/OMS-after-adding-solution.jpg) diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 96aec57103..6e78e96a31 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -9,6 +9,7 @@ ms.localizationpriority: medium ms.date: 11/14/2017 ms.pagetype: deploy author: jaimeo +ms.author: jaimeo --- # Monitor the health of devices with Device Health diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 19e2365401..3e28db2683 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -3,10 +3,13 @@ title: Using Device Health description: Explains how to begin usihg Device Health. ms.prod: w10 ms.mktglfcycl: deploy +keywords: oms, operations management suite, wdav, health, log analytics ms.sitesec: library ms.date: 03/30/2018 ms.pagetype: deploy author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium --- # Using Device Health diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md new file mode 100644 index 0000000000..7ad33b4c1c --- /dev/null +++ b/windows/deployment/update/feature-update-conclusion.md @@ -0,0 +1,20 @@ +--- +title: Best practices for feature updates - conclusion +description: Final thoughts about how to deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: lizap +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 07/09/2018 +--- + +# Conclusion + +**Applies to**: Windows 10 + +Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. + +Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. + diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md new file mode 100644 index 0000000000..d49f678bcf --- /dev/null +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -0,0 +1,257 @@ +--- +title: Best practices - deploy feature updates during maintenance windows +description: Learn how to deploy feature updates during a maintenance window +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mcureton +ms.localizationpriority: medium +ms.author: mikecure +ms.date: 07/09/2018 +--- + +# Deploy feature updates during maintenance windows + +**Applies to**: Windows 10 + +Use the following information to deploy feature updates during a maintenance window. + +## Get ready to deploy feature updates + +### Step 1: Configure maintenance windows + +1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. +2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). +3. On the **Home** tab, in the **Properties** group, choose **Properties**. +4. In the **Maintenance Windows** tab of the Properties dialog box, choose the New icon. +5. Complete the Schedule dialog. +6. Select from the Apply this schedule to drop-down list. +7. Choose **OK** and then close the **\ Properties** dialog box. + +### Step 2: Review computer restart device settings + +If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. + +For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. + +>[!NOTE] +> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. +>- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** +>- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** + +### Step 3: Enable Peer Cache + +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + >[!NOTE] + >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + + >[!NOTE] + >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md new file mode 100644 index 0000000000..5c1cc4673a --- /dev/null +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -0,0 +1,39 @@ +--- +title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices +description: Learn how to deploy feature updates to your mission critical devices +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mcureton +ms.localizationpriority: medium +ms.author: mikecure +ms.date: 07/10/2018 +--- + +# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices + +**Applies to**: Windows 10 + +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. + +For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). + +Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: + +- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. +- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. + +You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: + +- **LTSC feature updates.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. +- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. + +If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. + +Use the following information: + + +- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) +- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) +- [Conclusion](feature-update-conclusion.md) \ No newline at end of file diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md new file mode 100644 index 0000000000..bcf74135cf --- /dev/null +++ b/windows/deployment/update/feature-update-user-install.md @@ -0,0 +1,235 @@ +--- +title: Best practices - deploy feature updates for user-initiated installations +description: Learn how to manually deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: mcureton +ms.localizationpriority: medium +ms.author: mikecure +ms.date: 07/10/2018 +--- + +# Deploy feature updates for user-initiated installations (during a fixed service window) + +**Applies to**: Windows 10 + +Use the following steps to deploy a feature update for a user-initiated installation. + +## Get ready to deploy feature updates + +### Step 1: Enable Peer Cache +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates in a user-initiated installation + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the **search** text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click **Close**. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when **Type of deployment** is set to **Required**. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + - **Software available time**: Select **Specific time** to specify when the software updates will be available to clients: + - **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment is not available for installation until after the specified date and time are reached and the required content has been downloaded. + + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window. + + Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients will start downloading the content based on a randomized time. The feature update will not be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation will start immediately when initiated. + +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify **Display in Software Center and show all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. + >[!NOTE] + >Remember that the installation deadline date and time will be well into the future to allow plenty of time for the user-initiated install during a fixed servicing window. + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the **Software Updates** node in the **Software Library** workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. \ No newline at end of file diff --git a/windows/deployment/update/images/app-reliability.png b/windows/deployment/update/images/app-reliability.png new file mode 100644 index 0000000000..47ecf49431 Binary files /dev/null and b/windows/deployment/update/images/app-reliability.png differ diff --git a/windows/deployment/update/images/device-reliability-crash-count.png b/windows/deployment/update/images/device-reliability-crash-count.png new file mode 100644 index 0000000000..7dd0a2d660 Binary files /dev/null and b/windows/deployment/update/images/device-reliability-crash-count.png differ diff --git a/windows/deployment/update/images/device-reliability-device-count.png b/windows/deployment/update/images/device-reliability-device-count.png new file mode 100644 index 0000000000..ba937d49e9 Binary files /dev/null and b/windows/deployment/update/images/device-reliability-device-count.png differ diff --git a/windows/deployment/update/images/device-reliability-event1001-PSoutput.png b/windows/deployment/update/images/device-reliability-event1001-PSoutput.png new file mode 100644 index 0000000000..323e0e3878 Binary files /dev/null and b/windows/deployment/update/images/device-reliability-event1001-PSoutput.png differ diff --git a/windows/deployment/update/images/event_1001.png b/windows/deployment/update/images/event_1001.png new file mode 100644 index 0000000000..e4f4604c2b Binary files /dev/null and b/windows/deployment/update/images/event_1001.png differ diff --git a/windows/deployment/update/images/wufb-feature-engaged-notification.png b/windows/deployment/update/images/wufb-feature-engaged-notification.png new file mode 100644 index 0000000000..0e3bd19e61 Binary files /dev/null and b/windows/deployment/update/images/wufb-feature-engaged-notification.png differ diff --git a/windows/deployment/update/images/wufb-feature-notification.png b/windows/deployment/update/images/wufb-feature-notification.png new file mode 100644 index 0000000000..0e3bd19e61 Binary files /dev/null and b/windows/deployment/update/images/wufb-feature-notification.png differ diff --git a/windows/deployment/update/images/wufb-feature-update-deadline-notification.png b/windows/deployment/update/images/wufb-feature-update-deadline-notification.png new file mode 100644 index 0000000000..0e3bd19e61 Binary files /dev/null and b/windows/deployment/update/images/wufb-feature-update-deadline-notification.png differ diff --git a/windows/deployment/update/images/wufb-feature-update-engaged-notification.png b/windows/deployment/update/images/wufb-feature-update-engaged-notification.png new file mode 100644 index 0000000000..6173803a90 Binary files /dev/null and b/windows/deployment/update/images/wufb-feature-update-engaged-notification.png differ diff --git a/windows/deployment/update/images/wufb-quality-engaged-notification.png b/windows/deployment/update/images/wufb-quality-engaged-notification.png new file mode 100644 index 0000000000..432f9f89b7 Binary files /dev/null and b/windows/deployment/update/images/wufb-quality-engaged-notification.png differ diff --git a/windows/deployment/update/images/wufb-quality-notification.png b/windows/deployment/update/images/wufb-quality-notification.png new file mode 100644 index 0000000000..0e3bd19e61 Binary files /dev/null and b/windows/deployment/update/images/wufb-quality-notification.png differ diff --git a/windows/deployment/update/images/wufb-wave-deployment.png b/windows/deployment/update/images/wufb-wave-deployment.png new file mode 100644 index 0000000000..34ff0bf6cf Binary files /dev/null and b/windows/deployment/update/images/wufb-wave-deployment.png differ diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index dea0940ed3..65cd936797 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -1,30 +1,31 @@ --- title: Olympia Corp enrollment guidelines description: Olympia Corp enrollment guidelines -ms.author: nibr +ms.author: jaimeo ms.topic: article ms.prod: w10 ms.technology: windows author: jaimeo ms.date: 03/02/2018 +keywords: insider, trial, enterprise, lab, corporation, test --- # Olympia Corp ## What is Windows Insider Lab for Enterprise and Olympia Corp? -Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. +Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. As an Olympia user, you will have an opportunity to: -- Use various Enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). +- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). - Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. - Validate and test pre-release software in your environment. - Provide feedback. - Interact with engineering team members through a variety of communication channels. >[!Note] ->Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice. +>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md new file mode 100644 index 0000000000..16dd909dd8 --- /dev/null +++ b/windows/deployment/update/servicing-stack-updates.md @@ -0,0 +1,39 @@ +--- +title: Servicing stack updates (Windows 10) +description: Servicing stack updates improve the code that installs the other updates. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: Jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 05/29/2018 +--- + +# Servicing stack updates + + +**Applies to** + +- Windows 10 + +## What is a servicing stack update? +The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. + +## Why should servicing stack updates be installed and kept up to date? + +Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. + +## When are they released? + +Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required. + +## Is there any special guidance? + +Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. + +## Installation notes + +• Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. +• Installing servicing stack update does not require restarting the device, so installation should not be disruptive. +• Servicing stack update releases are specific to the operating system version (build number), much like quality updates. diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index dce1b56274..9c77b0f094 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -8,6 +8,8 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.date: 03/27/2018 +keywords: oms, operations management suite, optimization, downloads, updates, log analytics +ms.localizationpriority: medium --- # Delivery Optimization in Update Compliance diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index d5059b3973..78aa48d1cf 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: Jaimeo ms.author: jaimeo ms.date: 03/15/2018 +ms.localizationpriority: medium --- # Get started with Update Compliance @@ -22,12 +23,19 @@ Steps are provided in sections that follow the recommended setup process: -## Add Update Compliance to Microsoft Operations Management Suite +## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). + +>[!IMPORTANT] +>Update Compliance is a free solution for Azure subscribers. If you are already using OMS, skip to step **6** to add Update Compliance to your workspace. +>[!NOTE] +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace. + + If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. @@ -69,4 +77,4 @@ Once you've added Update Compliance to Microsoft Operations Management Suite, yo ## Use Update Compliance to monitor Windows Updates -Once your devices are enrolled, you can starte to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md). \ No newline at end of file +Once your devices are enrolled, you can start to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md). diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index a7ed74d098..47523a44c6 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -9,6 +9,7 @@ ms.pagetype: deploy author: Jaimeo ms.author: jaimeo ms.date: 02/09/2018 +ms.localizationpriority: medium --- # Monitor Windows Updates and Windows Defender Antivirus with Update Compliance @@ -37,7 +38,7 @@ See the following topics in this guide for detailed information about configurin Click the following link to see a video demonstrating Update Compliance features. -[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube.com/embed/1cmF5c_R8I4) +[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4) ## Update Compliance architecture diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index f2ecc2a75b..2bcc3b064e 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -1,6 +1,7 @@ --- title: Using Update Compliance (Windows 10) description: Explains how to begin usihg Update Compliance. +keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,6 +9,7 @@ ms.pagetype: deploy author: jaimeo ms.author: jaimeo ms.date: 10/13/2017 +ms.localizationpriority: medium --- # Use Update Compliance diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index 0d7eaadd5a..c0f974d0c0 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -5,16 +5,19 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/13/2017 +author: jaimeo +ms.author: jaimeo +ms.date: 05/17/2018 --- # Windows Defender AV Status ![The Windows Defender AV Status report](images/uc-windowsdefenderavstatus.png) -The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. +The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. + +>[!NOTE] +>Customers with E5 licenses can monitor the Windows Defender AV status by using the Windows Defender ATP portal. For more information about monitoring devices with this portal, see [Onboard Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Clicking any of these statuses will navigate you to a Log Search view containing the query. diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 98db5c9f8c..074861843d 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 07/27/2017 --- diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index b6260dbd6d..082dd4cb06 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -4,10 +4,10 @@ description: You can use Group Policy or your mobile device management (MDM) ser ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 10/13/2017 +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 06/01/2018 --- # Configure Windows Update for Business @@ -21,14 +21,14 @@ ms.date: 10/13/2017 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) >[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products. > >In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). >[!IMPORTANT] ->For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). +>For Windows Update for Business policies to be honored, the diagnostic data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). @@ -42,7 +42,7 @@ By grouping devices with similar deferral periods, administrators are able to cl ## Configure devices for Current Branch (CB) or Current Branch for Business (CBB) -With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). +With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). **Release branch policies** @@ -60,6 +60,9 @@ Starting with version 1703, users are able to configure their device's branch re >[!NOTE] >Users will not be able to change this setting if it was configured by policy. +>[!IMPORTANT] +>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). + ## Configure when devices receive Feature Updates After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 4c9151a55f..f82f1afa73 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,13 +1,14 @@ --- title: Configure Delivery Optimization for Windows 10 updates (Windows 10) description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 +keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: JaimeO -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: jaimeo -ms.date: 11/21/2017 +ms.date: 04/30/2018 --- # Configure Delivery Optimization for Windows 10 updates @@ -27,6 +28,16 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. +The following table lists the minimum Windows 10 version that supports Delivery Optimization: + +| Device type | Minimum Windows version | +|------------------|---------------| +| Computers running Windows 10 | 1511 | +| Computers running Server Core installations of Windows Server | 1709 | +| IoT devices | 1803 | +| HoloLens devices | 1803 | + + By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. For more details, see [Download mode](#download-mode). @@ -56,8 +67,19 @@ Several Delivery Optimization features are configurable: | [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 | | [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | | [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | -| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1703 | -| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1703 | +| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | +| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | +| [MaxForegroundDownloadBandwidth](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | +| [MaxBackgroundDownloadBandwidth](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | +| [SetHoursToLimitBackgroundDownloadBandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | +| [SetHoursToLimitForegroundDownloadBandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | +| [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) |DORestrictPeerSelectionBy | 1803 | +| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIdSource | 1803 | +| [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | +| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | + + + When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure is the [Download mode](#download-mode), which dictates how Delivery Optimization downloads Windows updates. @@ -80,6 +102,15 @@ Additional options available that control the impact Delivery Optimization has o - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. +- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. +- [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. +- [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +- [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +- [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select. +- [Select the source of Group IDs](#select-the-source-of-group-ids) restricts peer selection to a specific source. +- [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. +- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. + Administrators can further customize scenarios where Delivery Optimization will be used with the following settings: - [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled. @@ -92,11 +123,11 @@ At Microsoft, to help ensure that ongoing deployments weren’t affecting our ne For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. -Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings. +The following is a detailed description of every configurable feature setting. Use these details when configuring any of the settings. ### Download mode -Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. +Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Additional technical details for these policies are available in [Policy CSP - Delivery Optimization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). | Download mode option | Functionality when set | | --- | --- | @@ -152,6 +183,14 @@ This setting specifies the minimum content file size in MB enabled to use Peer C This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. +### Maximum Foreground Download Bandwidth + +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. + +### Maximum Background Download Bandwidth + +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. + ### Percentage of Maximum Download Bandwidth This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. @@ -160,6 +199,33 @@ This setting specifies the maximum download bandwidth that Delivery Optimization This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. +### Set Business Hours to Limit Background Download Bandwidth +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. + +### Set Business Hours to Limit Foreground Download Bandwidth +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. + +### Select a method to restrict peer selection +Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. +Currently the only available option is **1 = Subnet mask** This option (Subnet mask) applies to both Download Modes LAN (1) and Group (2). + +### Select the source of Group IDs +Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source. The options are: +- 0 = not set +- 1 = AD Site +- 2 = Authenticated domain SID +- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) +- 4 = DNS Suffix + +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored. + + +### Delay background download from http (in secs) +Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. + +### Delay foreground download from http (in secs) +Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. + ### Minimum Background QoS This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. @@ -185,15 +251,44 @@ The device can download from peers while on battery regardless of this policy. > By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause. + ## Set “preferred” cache devices for Delivery Optimization In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content). To specify which devices are preferred, you can set the **Max Cache Age** configuration with a value of **Unlimited** (0). As a result, these devices will be used more often as sources for other devices downloading the same files. -On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet: +On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet. Set **DOMinBackgroundQoS** with a low value, for example, `64` (which is the equivalent of 64 KB/s). -- Set **DOMinBackgroundQoS** with a low value, for example `64` which is the equivalent of 64 KB/s. +## Troubleshooting steps if you don't see any bytes from peers + +If you don’t see any bytes coming from peers the cause might be one of the following issues: + +- Clients aren’t able to reach the Delivery Optimization cloud services. +- The cloud service doesn’t see other peers on the network. +- Clients aren’t able to connect to peers that are offered back from the cloud service. + +### Clients aren't able to reach the Delivery Optimization cloud services. + +To fix this issue, try the following steps: + +1. Start a download of an app that is larger than 50 MB from the Store (for example Candy Crush Saga). +2. Run `Get-DeliveryOptimizationStatus` from an elevated window and share the output (by setting the `DownloadMode` field to **1**). + +### The cloud service doesn't see other peers on the network. + +If you suspect this is the problem, try these steps: + +1. Download the same app on another device on the same network. +2. Run `Get-DeliveryOptimizationPerfSnap` from an elevated window (the `NumberOfPeers` field should be non-zero). + + +### Clients aren't able to connect to peers offered by the cloud service + +If you suspect this is the problem, run a Telnet test between two devices on the network to ensure they can connect using port 7680. To do this, follow these steps: + +1. Install Telnet by running **dism /online /Enable-Feature /FeatureName:TelnetClient** from an elevated command prompt. +2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run **telnet 192.168.9.17 7680** (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. ## Windows PowerShell cmdlets for analyzing usage @@ -227,8 +322,7 @@ Using the `-Verbose` option returns additional information: | IntConnectionCount | Number of active connections to internet peers |  | DownloadMode | Indicates the download mode (see the "Download Mode" section for details) |   - -- `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: +`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: - Number of files downloaded  - Number of files uploaded  @@ -244,6 +338,19 @@ Using the `-Verbose` option returns additional information: - Bytes from CDN  (the number of bytes received over HTTP) - Average number of peer connections per download  + +Starting in Windows 10, version 1803: + +`Get-DeliveryOptimizationLog [-Path ] [-Flush]` + +If `Path` is not specified, this cmdlet reads all logs from the dosvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops dosvc before reading logs. + +Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content ` or something similar. + +`Get-DeliveryOptimizationPerfSnapThisMonth` + +Returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. + ## Frequently asked questions **Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. @@ -270,6 +377,7 @@ For the payloads (optional): + ## Learn more [Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/) diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 224da4899d..10b578947d 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -4,10 +4,10 @@ description: Deployment rings in Windows 10 are similar to the deployment groups ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 07/27/2017 +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 07/11/2018 --- # Build deployment rings for Windows 10 updates @@ -38,9 +38,7 @@ Table 1 provides an example of the deployment rings you might use. | Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization | >[!NOTE] ->In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC servicing channel does not receive feature updates. -> ->Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insider devices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates. +>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates. As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. @@ -66,6 +64,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 0967178c16..d2ea74fd39 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 07/27/2017 --- diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md index ad496df8a2..e51a60fb0d 100644 --- a/windows/deployment/update/waas-manage-updates-configuration-manager.md +++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 10/16/2017 --- diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 11d1c8bbbd..45492a47f7 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 10/16/2017 --- diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 88a40b5473..b726f5ba97 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -4,10 +4,10 @@ description: Windows Update for Business lets you manage when devices received u ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 10/13/2017 +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 06/01/2018 --- # Deploy updates using Windows Update for Business @@ -21,15 +21,15 @@ ms.date: 10/13/2017 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) >[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products. > ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. +>In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. -Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. +Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. Specifically, Windows Update for Business allows for: -- The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met). +- The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization). - Selectively including or excluding drivers as part of Microsoft-provided updates - Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. - Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution. @@ -45,7 +45,7 @@ Windows Update for Business is a free service that is available for Windows Pro, Windows Update for Business provides three types of updates to Windows 10 devices: - **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually. -- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. +- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred. Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. @@ -102,10 +102,10 @@ The pause period is now calculated starting from the set start date. For additio ## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607 -Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. +Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. >[!NOTE] ->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-channels). +>For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels).
                  TopicDescription
                  [Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md) Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
                  [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
                  [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) This topic provides information about support for upgrading directly to Windows 10 from a previous operating system.
                  [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) This topic provides information about support for upgrading from one edition of Windows 10 to another.
                  [Windows 10 volume license media](windows-10-media.md) This topic provides information about media available in the Microsoft Volume Licensing Service Center.
                  @@ -113,7 +113,7 @@ Windows Update for Business was first made available in Windows 10, version 1511 - + diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md index b167f78eb1..c87647a798 100644 --- a/windows/deployment/update/waas-mobile-updates.md +++ b/windows/deployment/update/waas-mobile-updates.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 07/27/2017 --- diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 6af7a05dfe..d36e9fcaab 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 07/27/2017 --- diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index a3a8becf16..d0c4ddbf52 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -1,13 +1,14 @@ --- title: Overview of Windows as a service (Windows 10) description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: Jaimeo -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: jaimeo -ms.date: 02/09/2018 +ms.date: 06/01/2018 --- # Overview of Windows as a service @@ -69,14 +70,19 @@ To align with this new update delivery model, Windows 10 has three servicing cha ### Naming changes As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using: -* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". +* Semi-Annual Channel - We will be referring to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC). +>[!IMPORTANT] +>With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For nmore information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). + >[!NOTE] >For additional information, see the section about [Servicing Channels](#servicing-channels). > ->You can also read [this blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. +>You can also read the blog post [Waas simplified and aligned](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. +>[!IMPORTANT] +>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). ### Feature updates diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 8ea214bbb5..bb2378b3a9 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -1,13 +1,14 @@ --- title: Quick guide to Windows as a service (Windows 10) description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: Jaimeo -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: jaimeo -ms.date: 02/09/2018 +ms.date: 05/29/2018 --- # Quick guide to Windows as a service @@ -19,38 +20,38 @@ ms.date: 02/09/2018 - Windows 10 Mobile - Windows 10 IoT Mobile -Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. +Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. ## Definitions Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. -- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. -- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. +- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. +- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month ("Patch Tuesday"), though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md). - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. - **Servicing channels** allow organizations to choose when to deploy new features. - The **Semi-Annual Channel** receives feature updates twice per year. - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. -- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. +- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. See [Overview of Windows as a service](waas-overview.md) for more information. ## Key Concepts -Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. +Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release. -Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. +Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information. ## Staying up to date -The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. +The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. -Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. +Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. -This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles. +This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles. Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index b4ad48ad0e..d663aecf1c 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 07/27/2017 --- diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index b311f101b7..a4042a9e10 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 10/13/2017 --- diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 7a37b53aa7..668d342d72 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 07/27/2017 --- diff --git a/windows/deployment/update/waas-windows-insider-for-business-aad.md b/windows/deployment/update/waas-windows-insider-for-business-aad.md deleted file mode 100644 index d03c9855b6..0000000000 --- a/windows/deployment/update/waas-windows-insider-for-business-aad.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -title: Windows Insider Program for Business using Azure Active Directory -description: Benefits and configuration of corporate accounts in the Windows Insider Program -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 10/16/2017 ---- - -# Windows Insider Program for Business using Azure Active Directory - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -We recently added features and benefits to better support the IT Professionals and business users in our Windows Insider community. This includes the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. - ->[!NOTE] ->At this point, the Windows Insider Program for Business only supports Azure Active Directory (and not Active Directory on premises) as a corporate authentication method. - ->[!TIP] ->New to Azure Active Directory? Go here for [an introduction to AAD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect), including guidance for [adding users](https://docs.microsoft.com/azure/active-directory/active-directory-users-create-azure-portal), [device registration](https://docs.microsoft.com/azure/active-directory/active-directory-device-registration-overview) and [integrating your on-premises directories with Azure AD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect). -> ->If your company is currently not using AAD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business. - -In order to get the most benefit out of the Windows Insider Program for Business, organizations should not use a test tenant of AAD. There will be no modifications to the AAD tenant to support the Windows Insider Program as it will only be used as an authentication method. - -## Register your organization's Azure AD domain to the Windows Insider Program for Business -Rather than have each user in your organization register for Windows 10 Insider Preview builds, you can now simply register your domain – and cover all users with just one registration. - -1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/). -2. **Register your domain**. Rather than have each user register individually for Windows Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally. - ->[!IMPORTANT] ->The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. - -## Check if a device is connected to your company’s Azure Active Directory subscription -Simply go to **Settings > Accounts > Access work or school**. If a corporate account is on Azure Active Directory and it is connected to the device, you will see the account listed as highlighted in the image below. - -![Device connected to Work Account](images/waas-wipfb-work-account.jpg) - -## Enroll a device with an Azure Active Directory account -1. Navigate to the [**Getting Started**](https://insider.windows.com/en-us/getting-started/) page on [Windows Insider](https://insider.windows.com). -2. Go to **Register your organization account** and follow the instructions. -3. On your Windows 10 device, go to **Settings > Updates & Security > Windows Insider Program**. -4. Enter the AAD account that you used to register and follow the on-screen directions. - ->[!NOTE] ->Make sure that you have administrator rights to the machine and that it has latest Windows updates. - -## Switch device enrollment from your Microsoft account to your AAD account -1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account. -2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**. -3. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**. -4. Under Windows Insider account, click your Microsoft account, then **Change** to open a Sign In box. -5. Select your corporate account and click Continue to change your account. - -![Change Windows Insider account](images/waas-wipfb-change-user.png) - ->[!NOTE] ->Your device must be connected to your corporate account in AAD for the account to appear in the account list. - -## User consent requirement - -With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this: - -![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png) - -Once agreed, everything will work fine, and that user won't be prompted for permission again. - -### Something went wrong - -The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent. - -In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message: - -![Feedback Hub consent error message](images/waas-wipfb-aad-error.png) - -This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials. - -**To fix this issue**, an administrator of the AAD directory will need to enable user consent for apps to access their data. - -To do this through the **classic Azure portal**: -1. Go to https://manage.windowsazure.com/ . -2. Switch to the **Active Directory** dashboard. - ![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png) -3. Select the appropriate directory and go to the **Configure** tab. -4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**. - ![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png) - -To do this through the **new Azure portal**: -1. Go to https://portal.azure.com/ . -2. Switch to the **Active Directory** dashboard. - ![Azure new portal dashboard button](images/waas-wipfb-aad-newaad.png) -3. Switch to the appropriate directory. - ![Azure new portal switch directory button](images/waas-wipfb-aad-newdirectorybutton.png) -4. Under the **Manage** section, select **User settings**. - ![Azure new portal user settings](images/waas-wipfb-aad-newusersettings.png) -5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**. - ![Azure new portal enable consent](images/waas-wipfb-aad-newenable.png) - - -## Frequently Asked Questions - -### Will my test machines be affected by automatic registration? -All devices enrolled in the Windows Insider Program (physical or virtual) will receive Windows 10 Insider Preview builds (regardless of registration with MSA or AAD). - -### Once I register with my corporate account in AAD, do I need to keep my Microsoft account for the Windows Insider Program? -No, once you set up your device using AAD credentials – all feedback and flighting on that machine will be under your AAD account. You may need MSA for other machines that aren’t being used on your corporate network or to get Microsoft Store App updates. - -### How do I stop receiving updates? -You can simply “unlink” your account by going to **Settings > Updates & Security > Windows Insider Program**, select Windows Insider Account and click **Unlink**. - - -## Related Topics -- [Windows Insider Program for Business](waas-windows-insider-for-business.md) -- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) diff --git a/windows/deployment/update/waas-windows-insider-for-business-faq.md b/windows/deployment/update/waas-windows-insider-for-business-faq.md deleted file mode 100644 index c2cd8cc848..0000000000 --- a/windows/deployment/update/waas-windows-insider-for-business-faq.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Windows Insider Program for Business Frequently Asked Questions -description: Frequently Asked Questions and answers about the Windows Insider Program -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: DaniHalfin -ms.localizationpriority: high -ms.author: daniha -ms.date: 10/24/2017 ---- - -# Windows Insider Program for Business Frequently Asked Questions - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -### Are the Windows Insider Program and Windows Insider Program for Business separate programs? -No, in fact just the opposite. The Windows Insider Program was created in 2014 to help Microsoft engage with Windows Fans worldwide. Windows Insiders are the first to be able to try new Windows features that we introduce through Windows 10 Insider Preview Builds. At the same time, they can provide feedback through the Feedback Hub App which helps create even better versions of Windows for all users. The Windows Insider Program for Business enables you to incorporate Insider Preview builds into your deployment plans using your corporate credentials, deepen connections with the IT Pro community, collect feedback within your organization, and increase the visibility of your organization’s feedback – especially on features that support productivity and business needs. Together we can resolve blocking or critical issues to better support your organization’s needs sooner. Incorporating the Windows Insider Program for Business into your deployment plans enables you to prepare your organization for the next update of Windows 10, to deploy new services and tools more quickly, to help secure your applications, and to increase productivity and confidence in the stability of your environment. Windows Insider Program for Business participants collaborate with the Windows team to build and document features, infuse innovation, and plan for what’s around the bend. We’ve architected some great features together, received amazing feedback, and we’re not done. - -### What Languages are available? -Insider Preview builds are available in the following languages: English (United States), English (United Kingdom), Chinese (Simplified), Chinese (Traditional), Portuguese (Brazilian), Japanese, Russian, German, French, French (Canada), Korean, Italian, Spanish, Spanish (Latin America), Swedish, Finnish, Turkish, Arabic, Dutch, Czech, Polish, Thai, Catalan, Hindi, and Vietnamese. - -If your Windows build is not in one of the available base languages, you will not receive Insider Preview builds. - -Hindi, Catalan, and Vietnamese can only be installed as a language pack over [supported base languages](https://support.microsoft.com/help/14236/language-packs). - ->[!NOTE] -> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc). - -### How do I register for the Windows Insider Program for Business? -To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services. - -1. Visit https://insider.windows.com and click **Get Started**. -2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions. -3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions. - ->[!NOTE] ->Make sure that you have administrator rights to your machine and that it has latest Windows updates. - -### Are there any management capabilities that allow an IT admin to manage settings for a corporate environment? -Yes. Starting with Windows 10, version 1709, the Windows Insider Program for Business now enables administrators to apply the following group policies to help them manage their organization’s preview builds: - -**Manage preview builds:** Administrators can enable or prevent builds from installing on a device. You also have an option to disable preview builds once the release is public. -**Branch Readiness Level:** Administrators can set the Windows readiness level, including Fast, Slow, Release Preview Rings of Windows Insider Preview) and allows administrators to defer or pause delivery of updates. - -See more information on the [Getting started with Windows Insider Program for Business](waas-windows-insider-for-business.md#getting-started-with-windows-insider-program-for-business) section. - -### How can I find out if my corporate account is on Azure Active Directory? -On your PC, go to **Settings > Accounts > Access work or school**. If your organization has set up your corporate account in Azure Active Directory and it is connected to your PC, you will see the account listed as highlighted in the image below. - -![Device connected to Work Account](images/waas-wipfb-work-account.jpg) - -### I have more than one Azure Active Directory account. Which should I use? -Register for Windows Insider Program for Business with the same active account that you use to access your corporate email in Office 365 and other Microsoft services. To ensure you get the most benefit out of the Windows Insider Program for Business and that your company is fully represented, do not set up a separate tenant for testing activities. There will be no modifications to the AAD tenant to support Windows Insider Program for Business, and it will only be used as an authentication method. - -### Can I register multiple users from my organization at the same time for the Windows Insider Program for Business? -Yes. The Windows Insider Program for Business now allows organizations to register their domain and control settings centrally rather than require each user to register individually for Insider Preview builds. In order to register, follow instructions on the [Getting started with Windows Insider Program for Business](waas-windows-insider-for-business.md#getting-started-with-windows-insider-program-for-business) section. - -### My account is listed in Active Directory but not Azure Active Directory. Can I still register using my Active Directory credentials? -No. At this point, we are only supporting Azure Active Directory as a corporate authentication method. If you’d like to suggest or upvote another authentication method, please visit this [forum](https://answers.microsoft.com/en-us/insider/forum/insider_wintp). - -### I just want to participate as a Windows Insider. Do I still need to register with my corporate account in Azure Active Directory? -No. You can join using your Microsoft account (MSA) by following the steps below. However, please note that if you want to access the benefits of the Windows Insider Program for Business, you will need to sign-up using your corporate account in Azure Active Directory. - -1. Visit https://insider.windows.com and click Get Started. -2. Register with your Microsoft account and follow the on-screen registration directions. -3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds by going to **Settings > Updates & Security > Windows Insider Program** and entering your Microsoft account that you used to register. Now follow the on-screen directions. - ->[!NOTE] ->Make sure that you have administrator rights to your machine and that it has latest Windows updates. - -### I am already a Windows Insider. I want to switch my account from my Microsoft account to my corporate account in Azure Active Directory. How do I do this? -In just a few steps, you can switch your existing program registration from your Microsoft account to your corporate account in Azure Active Directory. - -1. Visit https://insider.windows.com. If you are signed in with your Microsoft account, sign out then sign back in to register with your corporate account in AAD. -2. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**. -3. In your account Under Windows Insider account, click **Change** to open a pop-up box. -4. Select your corporate account and click Continue to change your account. - ->[!NOTE] ->Your corporate account must be connected to the device for it to appear in the account list. - -### How do I sign into the Feedback Hub with my corporate credentials? -Sign in to the Feedback Hub using the same AAD account you are using to flight builds. - -### Am I going to lose all the feedback I submitted and badges I earned with my MSA? -No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. - -### How is licensing handled for Windows 10 Insider builds? -All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account. - -### Can I use the Software in a live operating environment? -The software is a pre-release version, and we do not recommend that organizations run Windows Insider Preview builds outside of their test environments. This software may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version. - -### Can a single MSA or AAD account be used to register more than one PC in the program? -Yes. If each PC has a valid Windows 10 or Windows 10 Mobile license you can use your MSA on as many devices as you’d like. However, the main concern would be that within the feedback it all looks like it comes from a single user. If multiple devices are experiencing problems with a build, you’d want the ability to submit the same feedback from multiple people (or upvote the same piece of feedback). - - -## Related Topics -- [Windows Insider Program for Business](waas-windows-insider-for-business.md) -- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) \ No newline at end of file diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md deleted file mode 100644 index dc35477a1b..0000000000 --- a/windows/deployment/update/waas-windows-insider-for-business.md +++ /dev/null @@ -1,313 +0,0 @@ ---- -title: Windows Insider Program for Business -description: Overview of the Windows Insider Program for Business -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jaimeo -ms.localizationpriority: high -ms.author: jaimeo -ms.date: 02/27/2018 ---- - -# Windows Insider Program for Business - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - - - -## Getting started with Windows Insider Program for Business - -To get started with the Windows Insider Program for Business, follow these steps: - -1. [Register your organization's Azure AD account](#individual-registration) to the Windows Insider Program for Business. -2. [Register your organization's Azure AD domain](#organizational-registration) to the Windows Insider Program for Business.
                  **Note:** Registering user has to be a Global Administrator in the Azure AD domain. -3. [Set policies](#manage-windows-insider-preview-builds) to enable Windows Insider Preview builds and select flight rings. - ->[!IMPORTANT] ->To receive Windows Insider Preview builds, set the **Allow Telemetry** setting in Group Policy to 2 or higher. -> ->In **Group Policy**, this setting is in **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds - Allow Telemetry**. In **MDM**, the setting is in [**System/AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). - - -## Register in the Windows Insider Program for Business - -The first step to installing a Windows 10 Insider Preview build is to register as a Windows Insider. You and your users have two registration options. - -### Register using your work account (recommended) -Registering with your work account in Azure Active Directory (AAD) is required to submit feedback on behalf of your organization and manage Insider Preview builds on other devices in your domain. - ->[!NOTE] ->Requires Windows 10 Version 1703 or later. Confirm by going to Settings>System>About. If you do not have an AAD account, [find out how to get an Azure Active Directory tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant). - -### Register your personal account -Use the same account that you use for other Microsoft services. If you don’t have a Microsoft account, it is easy to get one. [Get a Microsoft account](https://account.microsoft.com/account). - -## Install Windows Insider Preview Builds -You can install Windows 10 Insider Preview builds directly on individual devices, manage installation across multiple devices in an organization, or install on a virtual machine. - -### Install on an individual device - -1. Open [Windows Insider Program settings](ms-settings:windowsinsider) (On your Windows 10 device, go to Start > Settings > Update & security > Windows Insider Program). To see this setting, you must have administrator rights to your device. -2. Click **Get started** and follow the prompts to link your Microsoft or work account that you used to register as a Windows Insider. - - -[![Settings UI showing Windows Insider Program item selected in lower left](images/WIP4Biz_Prompts.png)](images/WIP4Biz_Prompts.png) - -### Install across multiple devices - -Administrators can install and manage Insider Preview builds centrally across multiple devices within their domain. To register a domain, you must be registered in the Windows Insider Program with your work account in Azure Active Directory and you must be assigned a **Global Administrator** role on that Azure AD domain. Also requires Windows 10 Version 1703 or later. - -To register a domain, follow these steps: - -1. **Register your domain with the Windows Insider Program** -Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally. - - -2. **Apply Policies** -Once you have registered your enterprise domain, you can control how and when devices receive Windows Insider Preview builds on their devices. See: [How to manage Windows 10 Insider Preview builds across your organization](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). - ->[!Note] ->- The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. ->- Currently, the Windows Insider Program for Business supports [Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/active-directory-whatis)--but not on-premises Active Directory--as a corporate authentication method. ->- If your company has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services--you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business. ->- If you do not have an AAD account, install Insider Preview builds on individual devices with a registered Microsoft account. - -### Install on a virtual machine -This option enables you to run Insider Preview builds without changing the Windows 10 production build already running on a device. - -For guidance on setting up virtual machines on your device, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). - -To download the latest Insider Preview build to run on your virtual machine, see -[Windows Insider Preview downloads](https://www.microsoft.com/software-download/windowsinsiderpreviewadvanced) - -## Manage Windows Insider Preview builds - -Starting with Windows 10, version 1709, administrators can control how and when devices receive Windows Insider Preview builds. - -The **Manage preview builds** setting gives enables or prevents preview build installation on a device. You can also decide to stop preview builds once the release is public. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* -* MDM: **Update/ManagePreviewBuilds** - ->[!NOTE] ->**MDM Values for ManagePreviewBuilds**: ->* 0 - Disable preview builds ->* 1 - Disable preview builds once next release is public ->* 2 - Enable preview builds ->* 3 - Preview builds are left to user selection *(default)* - -The **Branch Readiness Level** settings allows you to choose between preview [flight rings](#flight-rings), and defer or pause the delivery of updates. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* -* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) - -![Group Policy dialog showing the "Select when Preview Builds and Feature updates are received" configuration panel](images/waas-wipfb-policy1.png) - -### Individual enrollment - -If you want to manage Windows Insider preview builds prior to Windows 10, version 1709, or wish to enroll a single device, follow these steps: - -1. Enroll your device by going to **Start > Settings > Update & security > Windows Insider Program** and selecting **Get Started**. Sign-in using the account you used to register for the Windows Insider Program. -2. Read the privacy statement and then click **Next**, **Confirm**, -3. Schedule a restart. You are now ready to install your first preview build. -4. To install the first preview, open **Start** > **Settings** > **Update & security** > **Windows Insider Program** and select your Windows Insider level. The device receives the most recent Windows Insider build for the Windows Insider level you select. - ->[!NOTE] ->To enroll your device, you’ll require administration rights on the device, which must be running Windows 10, Version 1703 or later. If you are already registered in the Windows Insider Program using your Microsoft account, you’ll need to [switch enrollment to the organizational account](#how-to-switch-between-your-msa-and-your-corporate-aad-account). - ->[!TIP] ->Administrators have the option to use [Device Health](/windows/deployment/update/device-health-monitor) in Windows Analytics to monitor devices running Windows 10 Insider Preview builds. - -## Flight rings - -Flight rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring. - -These are the available flight rings: - -### Release Preview - -Best for Insiders who prefer to get early access to updates for the Semi-Annual Channel, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great. - -Insiders on this level receive builds of Windows just before Microsoft releases them to the Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider devices. - -The Release Preview Ring will only be visible when your Windows build version is the same as the Semi-Annual Channel. - -To move from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for device) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. - -### Slow - -The Slow Windows Insider level is for users who prefer to see new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build. - -* Builds are sent to the Slow Ring after feedback has been received from Windows Insiders within the Fast Ring and analyzed by our Engineering teams. -* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis. -* These builds still might have issues that would be addressed in a future flight. -* These builds are typically released once a month. - -### Fast - -Best for Windows Insiders who prefer being the first to get access to builds and feature updates--with some risk to their devices--in order to identify issues, and provide suggestions and ideas to make Windows software and devices great. - -* Windows Insiders with devices in the Fast Ring should be prepared for more issues that might block key activities that are important to you or might require significant workarounds. -* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features might work on some devices but might fail in other device configurations. -* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. -* Remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community forum. -* These builds are typically released once a week. - ->[!NOTE] ->Once your device is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your device will be auto-targeted for the next available flight for your selected ring. For the first build on any given device, this might take up to 24 hours to complete. - -### How to switch between flight rings - -During your time in the Windows Insider Program, you might want to change between flight rings for any number of reasons. Starting with Windows 10, version 1709, use the **Branch Readiness Level** to switch between flight rings. - -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* -* MDM: [**Update/BranchReadinessLevel**](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) - -To switch flights prior to Windows 10, version 1709, follow these steps: - -1. Go to **Settings > Updates & Security > Windows Insider Program** -2. Under **Choose your level**, select between the following rings - - * [Windows Insider Fast](#fast) - * [Windows Insider Slow](#slow) - * [Release Preview](#release-preview) - - -## How to switch between your MSA and your Corporate AAD account - -If you were using your Microsoft Account (MSA) to enroll to the Windows Insider Program, switch to your organizational account by going to **Settings > Updates & Security > Windows Insider Program**, and under **Windows Insider account** select **Change**. - -![Change Windows Insider account](images/waas-wipfb-change-user.png) - ->[!NOTE] ->If you would like to use your corporate account, your device must be connected to your corporate account in AAD for the account to appear in the account list. - -## Sharing Feedback Via the Feedback Hub -As you know a key benefit to being a Windows Insider is Feedback. It’s definitely a benefit to us, and we hope it’s a benefit to you. Feedback is vital for making changes and improvements in Windows 10. Receiving quality and actionable feedback is key in achieving these goals. - -Use the [**Feedback Hub App**](feedback-hub://?referrer=wipForBizDocs&tabid=2) to submit your feedback to Microsoft. - -When providing feedback, consider the following: -* Check for existing feedback on the topic you are preparing to log. Another user might have already shared the same feedback. If they have, “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review. -* Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible. - ->[!TIP] ->You can then track feedback provided by all users in your organization through the Feedback Hub. Simply filter by **My Organization**. -> ->If you're signed in to the Feedback Hub App using your personal Microsoft Account (MSA), you can switch to your work account, by clicking on your account, signing out, and signing back in. - ->[!NOTE] ->If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your Azure AD sign-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. - -### User consent requirement - -Feedback Hub needs the user’s consent to access their AAD account profile data (we read their name, organizational tenant ID, and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this: - -![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png) - -Once agreed, everything will work fine, and that user won't be prompted for permission again. - -#### Something went wrong - -The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent. - -In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message: - -![Feedback Hub consent error message](images/waas-wipfb-aad-error.png) - -This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials. - -**To fix this issue**, an administrator of the AAD directory will need to enable user consent for apps to access their data. - -To do this through the **classic Azure portal**: -1. Go to https://manage.windowsazure.com/ . -2. Switch to the **Active Directory** dashboard. - ![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png) -3. Select the appropriate directory and go to the **Configure** tab. -4. Under the **integrated applications** section, enable **Users might give applications permissions to access their data**. - ![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png) - -To do this through the **new Azure portal**: -1. Go to https://portal.azure.com/ . -2. Switch to the **Active Directory** dashboard. - ![Azure new portal dashboard button](images/waas-wipfb-aad-newaad.png) -3. Switch to the appropriate directory. - ![Azure new portal switch directory button](images/waas-wipfb-aad-newdirectorybutton.png) -4. Under the **Manage** section, select **User settings**. - ![Azure new portal user settings](images/waas-wipfb-aad-newusersettings.png) -5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**. - ![Azure new portal enable consent](images/waas-wipfb-aad-newenable.png) - -## Not receiving Windows 10 Insider Preview build updates? - -In some cases, your device might not update to the latest Windows Insider Preview build as expected. Here are items that you can review to troubleshoot this issue: - -### Perform a manual check for updates -Go to **Settings > Updates & Security**. Review available updates or select **Check for updates**. - ->[!NOTE] ->If you have set Active Hours, ensure your device is left turned on and signed in during the off-hours so the install process can complete. - -### Make sure Windows is activated -Go to **Settings > Updates & Security > Activation** to verify Windows is activated. - -### Make sure your corporate account in AAD is connected to your device -Open **Settings \ Accounts \ Access work or school**. If your device is not listed as connected to your account in AAD, click Connect and enter your AAD account. - -### Make sure you have selected a flight ring -Open **Settings > Update & Security > Windows Insider Program** and select your flight ring. - -### Have you recently done a roll-back? -If so, double-check your flight settings under **Settings > Update & Security > Windows Insider Program**. - -### Did you do a clean installion? -After a clean installation and initial setup of a Microsoft or corporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your device. This background process is known as Compatibility Checker and will run during idle time on your device. This process might take up to 24 hours. To ensure that this occurs in a timely manner, leave your device turned on. - -### Are there known issues for your current build? -On rare occasion, there might be an issue with a build that could lead to issues with updates being received. Check the most recent blog post or contact the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcements and known issues. - -## Exiting flighting - -After you’ve tried the latest Windows Insider Preview builds, you might want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device. - -To go from a Preview build to the Semi-Annual Channel, use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for device) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. - -## Unregister - -If you no longer plan to manage Windows Insider Preview policies for your organization, you will need to [unregister your domain with the Windows Insider Program](https://insider.windows.com/insiderorgleaveprogram/). - -Unregistering will not allow any other administrators at your organization to continue to set policies to manage Windows Insider Preview builds across your organization. - -Your individual registration with the Insider program will not be impacted. If you wish to leave the Insider program, see the [leave the program](https://insider.windows.com/how-to-overview/#leave-the-program) instructions. - ->[!IMPORTANT] ->Once your domain is unregistered, setting the **Branch Readiness Level** to preview builds will have no effect. Return this setting to its unconfigured state in order to enable users to control it from their devices. - -## Community - -Windows Insiders are a part of a global community focused on innovation, creativity, and growth in their world. - -The Windows Insider program enables you to deepen connections to learn from peers and to connect to subject matter experts (inside Microsoft, Insiders in your local community and in another country) who understand your unique challenges, and who can provide strategic advice on how to maximize your impact. - -Collaborate and learn from experts in the [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) - - -## Additional help resources - -* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders might encounter while using the build. -* [**Microsoft Technical Community for Windows Insiders**](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) - Engage with Windows Insiders around the world in a community dedicated to the Windows Insider Program. -* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between device, Office, Edge, and many others. - -## Learn More -- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) -- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) - -## Related Topics -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index a4286f5300..bed1c38f39 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 07/27/2017 --- diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index c4763cac37..2142d3ee8f 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 07/27/2017 --- @@ -339,6 +339,10 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin 2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users #2** group. +## Known issues +The following article describes the known challenges that can occur when you manage a Windows 10 Group policy client base: +- [Known issues managing a Windows 10 Group Policy client in Windows Server 2012 R2](https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv) + ## Related topics - [Update Windows 10 in the enterprise](index.md) @@ -356,4 +360,4 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index 6d421a99de..df5ea1250d 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: daniha ms.date: 07/27/2017 --- diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 0b01d6d615..3b90be8d08 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -8,7 +8,8 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 04/05/2018 +ms.date: 07/20/2018 +ms.localizationpriority: medium --- # Frequently asked questions and troubleshooting Windows Analytics @@ -19,11 +20,13 @@ This topic compiles the most common issues encountered with configuring and usin If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here. -[Devices not showing up](#devices-not-showing-up) +[Devices not appearing in Upgrade Readiness](#devices-not-appearing-in-upgrade-readiness) -[Device Health crash data not appearing](#device-health-crash-data-not-appearing) +[Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) -[Upgrade Readiness reports outdated updates](#upgrade-readiness-reports-outdated-updates) +[Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) + +[Apps not appearing in Device Health App Reliability](#apps-not-appearing-in-device-health-app-reliability) [Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb) @@ -36,13 +39,14 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win [Exporting large data sets](#exporting-large-data-sets) -### Devices not showing up +### Devices not appearing in Upgrade Readiness In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use. Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog. + >[!NOTE] -> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," please go to **Settings > Connected sources > Windows telemetry** and unsubscribe, wait a minute and then re-subscribe to Upgrade Readiness. This is a known issue and we are working on a fix. +> If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** and unsubscribe, wait a minute and then re-subscribe to Upgrade Readiness. If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues: @@ -57,77 +61,96 @@ If you want to check a large number of devices, you should run the latest script If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog. -If you have deployed images that have not been generalized, then many of them might have the same ID and so analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps: +If you have deployed images that have not been generalized, then many of them might have the same ID and so Windows Analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps: 1. Net stop diagtrack 2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f 3. Net start diagtrack +#### Devices not appearing in Device Health Device Reliability -### Device Health crash data not appearing +[![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png) -#### Is WER disabled? -If Windows Error Reporting (WER) is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health. +If you have devices that appear in other solutions, but not Device Health, follow these steps to investigate the issue: +1. Confirm that the devices are running Windows10. +2. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). +3. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). +4. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. +5. Wait 48 hours for activity to appear in the reports. +6. If you need additional troubleshooting, contact Microsoft Support. -Check these registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**: -- Verify that the value "Disabled" (REG_DWORD), if set, is 0. -- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. -- Verify that the value "CorporateWERServer" (REG_SZ) is not configured. +### Device crashes not appearing in Device Health Device Reliability -If you need further information on Windows Error Reporting (WER) settings, see WER Settings. +[![Device Reliability tile showing crash count highlighted](images/device-reliability-crash-count.png)](images/device-reliability-crash-count.png) + +If you know that devices are experiencing stop error crashes that do not seem to be reflected in the count of devices with crashes, follow these steps to investigate the issue: + +1. Verify that devices are reporting data properly by following the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) section of this topic. +2. Trigger a known crash on a test device by using a tool such as [NotMyFault](https://docs.microsoft.com/sysinternals/downloads/notmyfault) from Windows Sysinternals. +3. Verify that Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): + + - Verify that the value "Disabled" (REG_DWORD), if set, is 0. + - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. + - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. + +4. Verify that WER can reach all diagnostic endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md)--if WER can only reach some of the endpoints, it could be included in the device count while not reporting crashes. +5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this: + + [![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png) + + You can use the following Windows PowerShell snippet to summarize recent occurences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). + + ```powershell + $limitToMostRecentNEvents = 20 + Get-WinEvent -FilterHashTable @{ProviderName="Windows Error Reporting"; ID=1001} | + ?{ $_.Properties[2].Value -match "crash|blue" } | + % { [pscustomobject]@{ + TimeCreated=$_.TimeCreated + WEREvent=$_.Properties[2].Value + BucketId=$_.Properties[0].Value + ContextHint = $( + if($_.Properties[2].Value -eq "bluescreen"){"kernel"} + else{ $_.Properties[5].Value } + ) + }} | Select-Object -First $limitToMostRecentNEvents + ``` + The output should look something like this: + [![Typical output for this snippet](images/device-reliability-event1001-PSoutput.png)](images/device-reliability-event1001-PSoutput.png) + +6. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. +7. Wait 48 hours for activity to appear in the reports. +8. If you need additional troubleshooting, contact Microsoft Support. #### Endpoint connectivity Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). -If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access. - -Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required). For suggested methods, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-servers). - -To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*: +If you are using proxy server authentication, it's worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER only uploads error reports in the machine context, so whitelisting endpoints to allow non-authenticated access was typically used. In Windows 10, version 1703 and later versions, WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access. -```powershell -$endPoints = @( - 'watson.telemetry.microsoft.com' - 'oca.telemetry.microsoft.com' - 'v10.events.data.microsoft.com' - ) +For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication). -$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded +### Apps not appearing in Device Health App Reliability -``` +[![App Reliability tile showing relability events trend](images/app-reliability.png)](images/app-reliability.png) -If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints. +If apps that you know are crashing do not appear in App Reliability, follow these steps to investigate the issue: -To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example: +1. Double-check the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) and [Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) sections of this topic. +2. Confirm that an in-scope application has crashed on an enrolled device. Keep the following points in mind: + - Not all user-mode crashes are included in App Reliability, which tracks only apps that have a GUI, have been used interactively by a user, and are not part of the operating system. + - Enrolling more devices helps to ensure that there are enough naturally occurring app crashes. + - You can also use test apps which are designed to crash on demand. -```powershell +3. Verify that *per-user* Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKCU\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set): -[scriptblock]$accessTest = { - $endPoints = @( - 'watson.telemetry.microsoft.com' - 'oca.telemetry.microsoft.com' - 'v10.events.data.microsoft.com' - ) + - Verify that the value "Disabled" (REG_DWORD), if set, is 0. + - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0. + - Verify that the value "CorporateWERServer" (REG_SZ) is not configured. +4. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events. +5. Wait 48 hours for activity to appear in the reports. +6. If you need additional troubleshooting, contact Microsoft Support. - $endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded -} - -$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1" -$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt" -$accessTest.ToString() > $scriptFullPath -$null > $outputFileFullPath -$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`"" -$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10) -$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force -Start-Sleep -Seconds 120 -Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false -Get-Content $outputFileFullPath - -``` - -As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints. ### Upgrade Readiness shows many "Computers with outdated KB" If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile: @@ -162,12 +185,15 @@ Double-check that IE site discovery opt-in has been configured in the deployment Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level. Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). +>[!NOTE] +> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. + ### Device Names don't show up on Windows 10 devices -Starting with the build currently available in the Windows Insider Program, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). +Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). ### Disable Upgrade Readiness -If you want to stop using Upgrade Readiness and stop sending diagnostic data data to Microsoft, follow these steps: +If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: 1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. @@ -225,3 +251,6 @@ System Center Configuration Manager (SCCM) considers a device ready to upgrade i Currently, you can choose the criteria you wish to use: - To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). - To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. + +### How does Upgrade Readiness collect the inventory of devices and applications? +For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. \ No newline at end of file diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index cec30d4e05..0cf9e39727 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -8,7 +8,8 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 03/08/2018 +ms.date: 08/01/2018 +ms.localizationpriority: medium --- # Enrolling devices in Windows Analytics @@ -44,33 +45,38 @@ To enable data sharing, configure your proxy sever to whitelist the following en | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| -| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with the build of Windows 10 available in the Windows Insider Program| +| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803| | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier | | `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 | | `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. | `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | | `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | +| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health. **Note:** WER does *not* use login.live.com to access Microsoft Account consumer services such as Xbox Live. WER uses an anti-spoofing API at that address to enhance the integrity of error reports. | +| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | +| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | >[!NOTE] ->If you have SSL Inspection enabled on your proxy server, you might need to add the above URLs to your SSL inspection exclusion list to allow data to reach Microsoft endpoints. +>Proxy authentation and SSL inspections are frequent challenges for enterprises. See the following sections for configuration options. -### Configuring endpoint access with proxy servers +### Configuring endpoint access with SSL inspection +To ensure privacy and data integrity Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. Accordingly SSL interception and inspection is not possible. To use Windows Analytics services you should exclude the above endpoints from SSL inspection. + +### Configuring endpoint access with proxy server authentication If your organization uses proxy server authentication for outbound traffic, use one or more of the following approaches to ensure that the diagnostic data is not blocked by proxy authentication: -- **Best option:** Configure your proxy servers to **not** require proxy authentication for any traffic to the diagnostic data endpoints. In particular, disable SSL inspection. Windows checks for a Microsoft SSL certificate on the site, and this will be stripped and replaced if the proxy performs inspection. This is the most comprehensive solution and it works for all versions of Windows 10. -- **User proxy authentication:** Alternatively, you can configure devices on the user side. First, update the devices to Windows 10, version 1703 or later. Then, ensure that users of the devices have proxy permission to reach the diagnostic data endpoints. This requires that the devices have console users with proxy permissions, so you couldn't use this method with headless devices. +- **Best option: Bypass** Configure your proxy servers to **not** require proxy authentication for traffic to the diagnostic data endpoints. This is the most comprehensive solution and it works for all versions of Windows 10. +- **User proxy authentication:** Alternatively, you can configure devices to use the logged on user's context for proxy authentication. First, update the devices to Windows 10, version 1703 or later. Then, ensure that users of the devices have proxy permission to reach the diagnostic data endpoints. This requires that the devices have console users with proxy permissions, so you couldn't use this method with headless devices. - **Device proxy authentication:** Another option--the most complex--is as follows: First, configure a system level proxy server on the devices. Then, configure these devices to use machine-account-based outbound proxy authentication. Finally, configure proxy servers to allow the machine accounts access to the diagnostic data endpoints. - ## Deploy the compatibility update and related updates The compatibility update scans your devices and enables application usage tracking. If you don’t already have these updates installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager. | **Operating System** | **Updates** | |----------------------|-----------------------------------------------------------------------------| -| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cummulative updates.

                  Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](../upgrade/upgrade-readiness-requirements.md) for more information. | +| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cummulative updates. | | Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
                  Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
                  For more information about this update, see | | Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
                  Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
                  For more information about this update, see | @@ -88,6 +94,12 @@ If you are planning to enable IE Site Discovery in Upgrade Readiness, you will n |----------------------|-----------------------------------------------------------------------------| | [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
                  Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
                  For more information about this update, see

                  Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | +## Set diagnostic data levels + +You can set the diagnostic data level used by monitored devices either with the Update Readiness deployment script or by policy (by using Group Policy or Mobile Device Management). + +The basic functionality of Update Readiness will work at the Basic diagnostic data level, you won't get usage or health data for your updated devices without enabling the Enhanced level. This means you won't get information about health regressions on updated devices. So it is best to enable the Enhanced diagnostic data level, at least on devices running Windows 10, version 1709 (or later) where the Enhanced diagnostic data setting can be paired with "limited enhanced" data level (see [Windows 10 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)). For more information, see [Windows Analytics and privacy](https://docs.microsoft.com/windows/deployment/update/windows-analytics-privacy). + ## Enroll a few pilot devices You can use the Upgrade Readiness deployment script to automate and verify your deployment. We always recommend manually running this script on a few representative devices to verify things are properly configured and the device can connect to the diagnostic data endpoints. Make sure to run the pilot version of the script, which will provide extra diagnostics. @@ -98,7 +110,7 @@ After data is sent from devices to Microsoft, it generally takes 48-56 hours for ## Deploy additional optional settings -Certain of the Windows Analytics features have additional settings you can use. +Certain Windows Analytics features have additional settings you can use. - **Update Compliance** is only compatible with Windows 10 desktop devices (workstations and laptops). To use the Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a partner antivirus application), and must have enabled cloud-delivered protection, as described in [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting) topic for help with ensuring that the configuration is correct. @@ -137,7 +149,7 @@ These policies are under Microsoft\Windows\DataCollection: | CommercialId | In order for your devices to show up in Windows Analytics, they must be configured with your organization’s Commercial ID. | | AllowTelemetry (in Windows 10) | 1 (Basic), 2 (Enhanced) or 3 (Full) diagnostic data. Windows Analytics will work with basic diagnostic data, but more features are available when you use the Enhanced level (for example, Device Health requires Enhanced diagnostic data and Upgrade Readiness only collects app usage and site discovery data on Windows 10 devices with Enhanced diagnostic data). For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). | | LimitEnhancedDiagnosticDataWindowsAnalytics (in Windows 10) | Only applies when AllowTelemetry=2. Limits the Enhanced diagnostic data events sent to Microsoft to just those needed by Windows Analytics. For more information, see [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields).| -| AllowDeviceNameInTelemetry (in Windows 10) | In the build currently available in the Windows Insider Program for Windows 10, a separate opt-in is required to enable devices to continue to send the device name. | +| AllowDeviceNameInTelemetry (in Windows 10) | In Windows 10, version 1803, a separate opt-in is required to enable devices to continue to send the device name. | | CommercialDataOptIn (in Windows 7 and Windows 8) | 1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. | diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md index d500f271dd..3b7e53eaeb 100644 --- a/windows/deployment/update/windows-analytics-overview.md +++ b/windows/deployment/update/windows-analytics-overview.md @@ -8,6 +8,8 @@ ms.sitesec: library ms.date: 03/09/2018 ms.pagetype: deploy author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium --- # Windows Analytics overview diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index 89e9d3bc49..49c1fc93cc 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -8,7 +8,8 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 04/05/2018 +ms.date: 07/02/2018 +ms.localizationpriority: high --- # Windows Analytics and privacy @@ -36,6 +37,7 @@ The data flow sequence is as follows: See these topics for additional background information about related privacy issues: +- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) - [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) - [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) (link downloads a PDF file) - [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) @@ -43,7 +45,8 @@ See these topics for additional background information about related privacy iss - [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) - [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) - [Learn about security and privacy at Microsoft datacenters](http://www.microsoft.com/datacenters) -- [Confidence in the trusted cloud](https://azure.microsoft.com/en-us/support/trust-center/) +- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) +- [Trust Center](https://www.microsoft.com/trustcenter) ### Can Windows Analytics be used without a direct client connection to the Microsoft Data Management Service? No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity. diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md index 2fd8f9c79a..b87b77d354 100644 --- a/windows/deployment/update/windows-update-sources.md +++ b/windows/deployment/update/windows-update-sources.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: ms.sitesec: library author: kaushika-msft -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: jaimeo ms.date: 04/05/2018 --- diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md new file mode 100644 index 0000000000..d8cfc4631a --- /dev/null +++ b/windows/deployment/update/wufb-autoupdate.md @@ -0,0 +1,34 @@ +--- +title: Setting up Automatic Update in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: lizap +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 06/20/2018 +--- + +# Set up Automatic Update in Windows Update for Business with group policies + +>Applies to: Windows 10 + +Use the Automatic Update group policies to manage the interaction between Windows Update and clients. + +Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. + +|Policy|Description | +|-|-| +|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| +|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| +|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| +|Do not connect to any Windows Update Internet locations
                  Required for Dual Scan|Prevents access to Windows Update.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

                  **Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

                  **Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| +|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
                  **Check for updates on the following interval (hours)**: 22| +|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md new file mode 100644 index 0000000000..899a052c51 --- /dev/null +++ b/windows/deployment/update/wufb-basics.md @@ -0,0 +1,26 @@ +--- +title: Configure the Basic group policy for Windows Update for Business +description: Learn how to get started using the Basic GPO in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: lizap +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 06/20/2018 +--- +# Configure the Basic group policy for Windows Update for Business + +For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. + +|Policy name|Description | +|-|-| +|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| +|Configure Commercial ID|This policy allows you to join the device to an entity.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
                  **Option**: 1-Basic| +|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
                  **Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| \ No newline at end of file diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md new file mode 100644 index 0000000000..833ec9e014 --- /dev/null +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -0,0 +1,97 @@ +--- +title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10) +description: Learn how to enforce compliance deadlines using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: lizap +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 06/20/2018 +--- +# Enforcing compliance deadlines for updates + +>Applies to: Windows 10 + +Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce patch compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer revisions. We offer two compliance flows that you can choose from: + +- [Deadline only](#deadline-only) +- [Deadline with user engagement](#deadline-with-user-engagement) + +## Deadline Only + +This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. + +### End User Experience + +Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to reboot the device. + +>[!NOTE] +>Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update). + +### Policy overview + +|Policy|Description | +|-|-| +|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending reboot state. It specifies a deadline, in days, to enforce compliance (such as imminent install).| +|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled install. The user can dismiss a reminder, but not the warning.| + +### Suggested Configuration + +|Policy|Location|3 Day Compliance|5 Day Compliance|7 Day Compliance | +|-|-|-|-|-| +|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled
                  **Specify the number of days before pending restart will automatically be executed outside of active hours**: 2|State: Enabled
                  **Specify the number of days before pending restart will automatically be executed outside of active hours**: 3|State: Enabled
                  **Specify the number of days before pending restart will automatically be executed outside of active hours**: 4 + +### Controlling notification experience for deadline + +|Policy| Location|Suggested Configuration | +|-|-|-| +|Configure Auto-restart warning notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart warning notifications schedule for updates |State: Enabled
                  **Reminder** (hours): 2
                  **Warning** (minutes): 60 | + +### Notification experience for deadline + +Notification users get for a quality update deadline: +![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) + +Notification users get for a feature update deadline: +![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) + +## Deadline with user engagement + +This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active. + +### End user experience + +Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time. + +### Policy overview + +|Policy| Description | +|-|-| +|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending reboot. Transition days, first starts out in Auto-Restart where the device will find an idle moment to reboot the device. After 2 days engaged restart will commence and the user will be able to choose a time| +|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to reboot. They will have the option to confirm or dismiss the notification| + +### Suggested configuration + +|Policy| Location| 3 Day Compliance| 5 Day Compliance| 7 Day Compliance | +|-|-|-|-|-| +|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled
                  **Transition** (Days): 2
                  **Snooze** (Days): 2
                  **Deadline** (Days): 3|State: Enabled
                  **Transition** (Days): 2
                  **Snooze** (Days): 2
                  **Deadline** (Days): 4|State: Enabled
                  **Transition** (Days): 2
                  **Snooze** (Days): 2
                  **Deadline** (Days): 5| + +### Controlling notification experience for engaged deadline + +|Policy| Location |Suggested Configuration +|-|-|-| +|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled
                  **Method**: 2- User| + +### Notification experience for engaged deadlines +Notification users get for quality update engaged deadline: +![The notification users get for an impending engaged quality update deadline](images/wufb-quality-engaged-notification.png) + +Notification users get for a quality update deadline: +![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) + +Notification users get for a feature update engaged deadline: +![The notification users get for an impending feature update engaged deadline](images/wufb-feature-update-engaged-notification.png) + +Notification users get for a feature update deadline: +![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png) diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md new file mode 100644 index 0000000000..5580d134d5 --- /dev/null +++ b/windows/deployment/update/wufb-managedrivers.md @@ -0,0 +1,65 @@ +--- +title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business +description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: lizap +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 06/21/2018 +--- +# Managing drivers, dual-managed environments, and Delivery Optimization with group policies + +>Applies to: Windows 10 + +Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. + +## Managing drivers +Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. + +### Policy overview + +|Policy| Description | +|-|-| +|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | + +## Dual-managed environment + +You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. + +|Policy| Description | +|-|-| +|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
                  **Set the Intranet Update service for detecting updates**:
                  **Set the Intranet statistics server**:
                  **Set the alternate download server**: | + +## Download Optimization - Managing your bandwidth + +[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. + +|Policy| Description | +|-|-| +|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| +|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
                  Choose a size that meets your environment's constraints.| +|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | +|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| + +### Suggested configuration + +|Policy| Location| Suggested configuration | +|-|-|-| +|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
                  **Download Mode**: Group (2)| +|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
                  **Minimum Peer caching content file size (in MB)**: 10 MB| +|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
                  **Minimum battery level (Percentage)**: 60| +|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
                  **Max Cache Age (in seconds)**: 604800 ~ 7 days| \ No newline at end of file diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md new file mode 100644 index 0000000000..648f63e398 --- /dev/null +++ b/windows/deployment/update/wufb-manageupdate.md @@ -0,0 +1,54 @@ +--- +title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: lizap +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 06/20/2018 +--- + +# Manage feature and quality updates with group policies + +>Applies to: Windows 10 + +Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). + +The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. + +## Policy overview +|Policy name| Description | +|-|-| +|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | +|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | +|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| + +## Suggested configuration for a non-wave deployment + +If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: +|Policy| Location|Suggested configuration | +|-|-|-| +|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
                  **Defer receiving it for this many days**: 0
                  **Pause Quality Updates**: Blank
                  *Note: use this functionality to prevent the device from receiving a quality update until the time passes| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
                  **Select Windows Readiness Level**: SAC
                  **Defer receiving for this many days**: 0-365
                  **Pause Feature Updates**: Blank
                  *Note: use this functionality to prevent the device from receiving a feature update until the time passes| +|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| + +## Suggested configuration for a wave deployment +![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) + +## Early validation and testing +Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
                  **Select Windows Readiness Level**: WIP Fast or WIP slow
                  **Defer receiving for this many days**: 0
                  **Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| +|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
                  **Defer receiving it for this many days**: 0
                  **Pause Quality Updates**: Blank
                  *Note: use this functionality to prevent the device from receiving a quality update until the time passes| + +## Wave deployment for feature updates + +If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
                  **Select Windows Readiness Level**: SAC
                  **Defer receiving for this many days**: 0, 30, 60, 90, 120
                  **Pause Feature Updates**: Blank
                  *Note: use this functionality to prevent the device from receiving a feature update until the time passes diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md new file mode 100644 index 0000000000..dac150819b --- /dev/null +++ b/windows/deployment/update/wufb-onboard.md @@ -0,0 +1,45 @@ +--- +title: Onboarding to Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: lizap +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 06/20/2018 +--- + +# Onboarding to Windows Update for Business in Windows 10 + +>Applies to: Windows 10 + +Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service (WU). Windows Update for Business can control the following: + +- Interaction between the client and Windows Update service (AU Options) +- End user notification for pending updates +- Compliance deadlines for feature or quality updates +- Configure wave deployment for feature or quality updates bandwidth optimization (DO) + +We also provide additional functionality to manage your environment when risk or issues arise such as a LOB application being blocked: + +- Uninstall latest feature or quality update +- Pause for a duration of time + +Use the following information to set up your environment using Windows Update for Business policies: + +- [Supported SKUs](#supported_skus) +- [Windows Update for Business basics](wufb-basics.md) +- [Setting up automatic update](wufb-autoupdate.md) +- [Managing feature and quality updates](wufb-manageupdate.md) +- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) +- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) + +## Supported SKUs + +Windows Update for Business is supported on the following versions of Windows 10: + +- Windows 10 Education +- Windows 10 Enterprise +- Windows 10 Pro +- Windows 10 S (for Windows 10, version 1709 and earlier) diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 72d23e920b..6f11599931 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.date: 03/30/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # Log files diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index 97d6d61817..d95d114e32 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 04/18/2018 -ms.localizationpriority: high +ms.date: 05/03/2018 +ms.localizationpriority: medium --- # Quick fixes @@ -22,9 +22,9 @@ ms.localizationpriority: high The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/en-us/products/windows?os=windows-10). -The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. To talk to a person about your issue, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times. +The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times. -You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can also just download the tool and run it with no advanced options. You must understand how to download and then run the program from an [elevated command prompt](#open-an-elevated-command-prompt). +>You might also wish to try a new tool available from Microsoft that helps to diagnose many Windows upgrade errors. For more information and to download this tool, see [SetupDiag](setupdiag.md). The topic is more advanced (300 level) because several advanced options are available for using the tool. However, you can now just download and then double-click the tool to run it. By default when you click Save, the tool is saved in your **Downloads** folder. Double-click the tool in the folder and wait until it finishes running (it might take a few minutes), then double-click the **SetupDiagResults.log** file and open it using Notepad to see the results of the analysis. ## List of fixes @@ -217,6 +217,8 @@ When you run Disk Cleanup and enable the option to Clean up system files, you ca ### Open an elevated command prompt +>It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool. + To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7). Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23). diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index ae8d50adda..18ed0fbef3 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.date: 03/30/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # Resolution procedures @@ -675,6 +675,84 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww

                  Select Servicing Options: CB or CBB

                  Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)

                  Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).

                  Select servicing options: CB or CBB

                  Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)

                  Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).

                  Quality Updates

                  Able to defer receiving Quality Updates:

                  • Up to 4 weeks
                  • In weekly increments

                  Able to defer receiving Quality Updates:

                  • Up to 30 days
                  • In daily increments

                  Feature Updates

                  Able to defer receiving Feature Updates:

                  • Up to 8 months
                  • In monthly increments

                  Able to defer receiving Feature Updates:

                  • Up to 180 days
                  • In daily increments

                  Pause updates

                  • Feature Updates and Quality Updates paused together
                  • Maximum of 35 days

                  Features and Quality Updates can be paused separately.

                  • Feature Updates: maximum 60 days
                  • Quality Updates: maximum 35 days
                  +## Modern setup errors + +Also see the following sequential list of modern setup (mosetup) error codes with a brief description of the cause. + +| Result code | Message | Description | +| --- | --- | --- | +| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. | +| 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. | +| 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. | +| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. | +| 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. | +| 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | +| 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | +| 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. | +| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. | +| 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. | +| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. | +| 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. | +| 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. | +| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. | +| 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. | +| 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. | +| 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. | +| 0XC1900112 | MOSETUP_E_TARGET_DRIVE_NOT_FOUND | Could not find a target drive letter. | +| 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. | +| 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. | +| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. | +| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. | +| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. | +| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. | +| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. | +| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. | +| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. | +| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. | +| 0XC1900127 | MOSETUP_E_UNINSTALL_ALLOWED_ABORT | The user has chosen to abort Setup to keep Uninstall option active. | +| 0XC1900128 | MOSETUP_E_MISSING_TASK | The install cannot continue because a required task is missing. | +| 0XC1900129 | MOSETUP_E_UPDATEMEDIA_REQUESTED | A more up-to-date version of setup will be launched to continue installation +| 0XC190012f | MOSETUP_E_FINALIZE_ALREADY_REQUESTED | The install cannot continue because a finalize operation was already requested. | +| 0XC1900130 | MOSETUP_E_INSTALL_HASH_MISSING | The install cannot continue because the instance hash was not found. | +| 0XC1900131 | MOSETUP_E_INSTALL_HASH_MISMATCH | The install cannot continue because the instance hash does not match. | +| 0XC19001df | MOSETUP_E_DISK_FULL | The install cannot continue because the system is out of disk space. | +| 0XC19001e0 | MOSETUP_E_GATHER_OS_STATE_FAILED | The GatherOsState executable has failed to execute. | +| 0XC19001e1 | MOSETUP_E_PROCESS_SUSPENDED | The installation process was suspended. | +| 0XC19001e2 | MOSETUP_E_PREINSTALL_SCRIPT_FAILED | A preinstall script failed to execute or returned an error. | +| 0XC19001e3 | MOSETUP_E_PRECOMMIT_SCRIPT_FAILED | A precommit script failed to execute or returned an error. | +| 0XC19001e4 | MOSETUP_E_FAILURE_SCRIPT_FAILED | A failure script failed to execute or returned an error. | +| 0XC19001e5 | MOSETUP_E_SCRIPT_TIMEOUT | A script exceeded the timeout limit. | +| 0XC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The system does not pass the minimum requirements to install the update. | +| 0XC1900201 | MOSETUP_E_COMPAT_SYSREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to install the update. | +| 0XC1900202 | MOSETUP_E_COMPAT_DOWNLOADREQ_BLOCK | The system does not pass the minimum requirements to download the update. | +| 0XC1900203 | MOSETUP_E_COMPAT_DOWNLOADREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to download the update. | +| 0XC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The system does not pass the requirements for desired migration choice. | +| 0XC1900205 | MOSETUP_E_COMPAT_MIGCHOICE_CANCEL | The user has chosen to cancel because the system does not pass the requirements for desired migration choice. | +| 0XC1900206 | MOSETUP_E_COMPAT_DEVICEREQ_BLOCK | The system does not pass the device scan to install the update. | +| 0XC1900207 | MOSETUP_E_COMPAT_DEVICEREQ_CANCEL | The user has chosen to cancel because the system does not pass the device scan to install the update. | +| 0XC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | The system does not pass the compat scan to install the update. | +| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. | +| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. | +| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. | +| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. | +| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. | +| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. | +| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. | +| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has used the setup.exe command line to do scanonly, not to install the OS. | +| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. | +| 0XC1900212 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_MULTIARCH_BLOCK | The system does not pass the disk space requirements to download and unpack multi-architecture media. | +| 0XC1900213 | MOSETUP_E_NO_OFFER_FOUND | There was no offer found that matches the required criteria. | +| 0XC1900214 | MOSETUP_E_UNSUPPORTED_VERSION | This version of the tool is not supported. | +| 0XC1900215 | MOSETUP_E_NO_MATCHING_INSTALL_IMAGE | Could not find an install image for this system. | +| 0XC1900216 | MOSETUP_E_ROLLBACK_PENDING | Found pending OS rollback operation. | +| 0XC1900220 | MOSETUP_E_COMPAT_REPORT_NOT_DISPLAYED | The compatibility report cannot be displayed due to a missing system component. | +| 0XC1900400 | MOSETUP_E_UA_VERSION_MISMATCH | An unexpected version of Update Agent client was encountered. | +| 0XC1900401 | MOSETUP_E_UA_NO_PACKAGES_TO_DOWNLOAD | No packages to be downloaded. | +| 0XC1900402 | MOSETUP_E_UA_UPDATE_CANNOT_BE_MERGED | No packages to be downloaded. | +| 0XC1900403 | MOSETUP_E_UA_CORRUPT_PAYLOAD_FILES | Payload files were corrupt. | +| 0XC1900404 | MOSETUP_E_UA_BOX_NOT_FOUND | The installation executable was not found. | +| 0XC1900405 | MOSETUP_E_UA_BOX_CRASHED | The installation process terminated unexpectedly. | + ## Related topics [Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx) diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 8c1c9c5f20..845d32e0ab 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.date: 04/18/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # Resolve Windows 10 upgrade errors : Technical information for IT Pros diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 32859c06fe..7292a10a18 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 04/11/2018 -ms.localizationpriority: high +ms.date: 07/18/2018 +ms.localizationpriority: medium --- # SetupDiag @@ -18,13 +18,33 @@ ms.localizationpriority: high >[!NOTE] >This is a 300 level topic (moderate advanced).
                  ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
                  -[SetupDiag.exe](https://go.microsoft.com/fwlink/?linkid=870142) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. + [![Download SetupDiag](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142) + +## About SetupDiag + +Current version of SetupDiag: 1.3.1.0 + +SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode. -See the [Release notes](#release-notes) section at the bottom of this topic for information about updates to this tool. +To quickly use SetupDiag on your current computer: +1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137). +2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142). +3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**. +4. When SetupDiag has finished downloading, open the folder where you downloaded the file. As mentioned above, by default this is your **Downloads** folder which is displayed in File Explorer under **Quick access** in the left navigation pane. +5. Double-click the **SetupDiag** file to run it. Click **Yes** if you are asked to approve running the program. + - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You will need to change directories to the location of SetupDiag to run it this way. +6. A command window will open while SetupDiag diagnoses your computer. Wait for this to finish. +7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file. +8. Use Notepad to open the log file: **SetupDiagResults.log**. +9. Review the information that is displayed. If a rule was matched this can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below. + +For instructions on how to run the tool in offline more and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below. + +The [Release notes](#release-notes) section at the bottom of this topic has information about recent updates to this tool. ## Requirements @@ -43,8 +63,9 @@ See the [Release notes](#release-notes) section at the bottom of this topic for | /Output:\ |
                  • This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
                  • Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
                  | | /Mode:\ |
                  • This optional parameter allows you to specify the mode in which SetupDiag will operate: Offline or Online.
                  • Offline: tells SetupDiag to run against a set of log files already captured from a failed system. In this mode you can run anywhere you have access to the log files. This mode does not require SetupDiag to be run on the computer that failed to update. When you specify offline mode, you must also specify the /LogsPath: parameter.
                  • Online: tells SetupDiag that it is being run on the computer that failed to update. SetupDiag will attempt find log files and resources in standard Windows locations, such as the **%SystemDrive%\$Windows.~bt** directory for setup log files.
                  • Log file search paths are configurable in the SetupDiag.exe.config file, under the SearchPath key. Search paths are comma separated. Note: A large number of search paths will extend the time required for SetupDiag to return results.
                  • Default: If not specified, SetupDiag will run in Online mode.
                  | | /LogsPath:\ |
                  • This optional parameter is required only when **/Mode:Offline** is specified. This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.
                  | -| /ZipLogs:\ |
                  • This optional parameter tells SetupDiag.exe to create a zip file continuing its results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
                  • Default: If not specified, a value of 'true' is used.
                  | +| /ZipLogs:\ |
                  • This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
                  • Default: If not specified, a value of 'true' is used.
                  | | /Verbose |
                  • This optional parameter will output much more data to the log file produced by SetupDiag.exe. By default SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.
                  | +| /Format:\ |
                  • This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.
                  | ### Examples: @@ -104,81 +125,157 @@ SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump ## Known issues 1. Some rules can take a long time to process if the log files involved are large. -2. SetupDiag only outputs data in a text format. If another format is desired, please provide this [feedback](#feedback). +2. SetupDiag only outputs data in a text format. 3. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause. In this case, try gathering the log files and running SetupDiag in offline mode. ## Sample output -The following is an example where SetupDiag is run in offline mode. In this example, it is found that disk space is not sufficient to complete Windows Setup: +The following is an example where SetupDiag is run in offline mode. In this example, there is an application warning, but since setup is executed in /quiet mode so it becomes a block. Instructions to resolve the problem are provided by SetupDiag in the output. + +The output also provides an error code 0xC1900208 - 0x4000C which corresponds to a compatibility issue as documented in the [Upgrade error codes](upgrade-error-codes.md#result-codes) and [Resolution procedures](resolution-procedures.md#modern-setup-errors) topics in this article. ``` -C:\setupdiag>SetupDiag /Output:C:\setupdiag\results.log /Mode:Offline /LogsPath:C:\setupdiag\logfiles - - -SetupDiag v1.00 -Copyright (c) Microsoft Corporation. All rights reserved. +C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:C:\Temp\BobMacNeill +SetupDiag v1.01 +Copyright (c) Microsoft Corporation. All rights reserved Searching for setup logs, this can take a minute or more depending on the number and size of the logs...please wait. - Found 1 setupact.logs. - Processing setupact.log 1 of 1 + Found 4 setupact.logs. + Processing setupact.log at: c:\temp\bobmacneill\$WINDOWS.~BT\Sources\Panther\setupact.log + Processing setupact.log at: c:\temp\bobmacneill\Panther\setupact.log + Processing setupact.log at: c:\temp\bobmacneill\Panther\NewOs\Panther\setupact.log + Processing setupact.log at: c:\temp\bobmacneill\Panther\UnattendGC\setupact.log +Found c:\temp\bobmacneill\$WINDOWS.~BT\Sources\Panther\setupact.log with update date 03/29/2018 23:13:58 and CV: H2X+YsWL/UOkj/8X to be the correct setup log. Gathering information from setup logs. SetupDiag: processing rule: CompatScanOnly. -...No match. - +..No match. SetupDiag: processing rule: BitLockerHardblock. -...No match. - +..No match. SetupDiag: processing rule: VHDHardblock. -...No match. - +..No match. SetupDiag: processing rule: PortableWorkspaceHardblock. -...No match. - +..No match. SetupDiag: processing rule: AuditModeHardblock. -...No match. - +..No match. SetupDiag: processing rule: SafeModeHardblock. -...No match. - +..No match. SetupDiag: processing rule: InsufficientSystemPartitionDiskSpaceHardblock. -...No match. +..No match. +SetupDiag: processing rule: CompatBlockedApplicationAutoUninstall. +....No match. -SetupDiag: processing rule: HardblockApplication. -...No match. +SetupDiag: processing rule: CompatBlockedApplicationDismissable. +.... +Matching Profile found: CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9 +Warning: Found Application Block for: "Microsoft Endpoint Protection". +This is a dismissible message when not running setup.exe in "/quiet" mode. +Consider specifying "/compat /ignore warning" to ignore these dismissible warnings. +You must manually uninstall "Microsoft Endpoint Protection" before continuing with the installation/update, or change the command line parameters to ignore warnings. +For more information about Setup command line switches, see here: +https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options + +SetupDiag: processing rule: CompatBlockedApplicationManualUninstall. +....No match. SetupDiag: processing rule: HardblockDeviceOrDriver. -...No match. - +....No match. SetupDiag: processing rule: HardblockMismatchedLanguage. ..No match. - SetupDiag: processing rule: HardblockFlightSigning. ..No match. - SetupDiag: processing rule: DiskSpaceBlockInDownLevel. -... +..No match. -Matching Profile found: DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E -Warning: Found Disk Space Hard Block. -Warning: You must free up at least 6603 MB of space on the System Drive, and try again. +SetupDiag: processing rule: DiskSpaceFailure. +..No match. + +SetupDiag: processing rule: DebugSetupMemoryDump. +.No match. + +SetupDiag: processing rule: DebugSetupCrash. +.No match. + +SetupDiag: processing rule: DebugMemoryDump. +.No match. + +SetupDiag: processing rule: DeviceInstallHang. +..No match. + +SetupDiag: processing rule: BootFailureDetected. +.No match. + +SetupDiag: processing rule: FindDebugInfoFromRollbackLog. +.No match. + +SetupDiag: processing rule: AdvancedInstallerFailed. +..No match. + +SetupDiag: processing rule: FindMigApplyUnitFailure. +..No match. + +SetupDiag: processing rule: FindMigGatherUnitFailure. +..No match. + +SetupDiag: processing rule: OptionalComponentInstallFailure. +..No match. + +SetupDiag: processing rule: CriticalSafeOSDUFailure. +..No match. + +SetupDiag: processing rule: UserProfileCreationFailureDuringOnlineApply. +..No match. + +SetupDiag: processing rule: WimMountFailure. +..No match. + +SetupDiag: processing rule: FindSuccessfulUpgrade. +..No match. + +SetupDiag: processing rule: FindSetupHostReportedFailure. +..No match. + +SetupDiag: processing rule: FindDownlevelFailure. +..No match. + +SetupDiag: processing rule: FindAbruptDownlevelFailure. +....Error: SetupDiag reports abrupt down-level failure. Last Operation: Finalize, Error: 0xC1900208 - 0x4000C +Failure Data: Last Operation: Finalize, Error: 0xC1900208 - 0x4000C +Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information. + +SetupDiag: processing rule: FindSetupPlatformFailedOperationInfo. +..No match. + +SetupDiag: processing rule: FindRollbackFailure. +..No match. + +SetupDiag found 2 matching issues. + +Warning: Found Application Block for: "Microsoft Endpoint Protection". +This is a dismissible message when not running setup.exe in "/quiet" mode. +Consider specifying "/compat /ignore warning" to ignore these dismissible warnings. +You must manually uninstall "Microsoft Endpoint Protection" before continuing with the installation/update, or change the command line parameters to ignore warnings. +For more information about Setup command line switches, see here: +https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options +Error: SetupDiag reports abrupt down-level failure. Last Operation: Finalize, Error: 0xC1900208 - 0x4000C +Failure Data: Last Operation: Finalize, Error: 0xC1900208 - 0x4000C +Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information. -SetupDiag found 1 matching issue. SetupDiag results were logged to: c:\setupdiag\results.log -Logs ZipFile created at: c:\setupdiag\Logs.zip +Logs ZipFile created at: c:\setupdiag\Logs_14.zip ``` @@ -188,63 +285,199 @@ When searching log files, SetupDiag uses a set of rules to match known issues. T Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term "down-level" refers to the first phase of the upgrade process, which runs under the starting OS. -1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D +1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D - This rule indicates that setup.exe was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade. -2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE +2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE - This is a block when the target OS does not support BitLocker, yet the host OS has BitLocker enabled. -3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC +3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC - This block happens when the host OS is booted to a VHD image. Upgrade is not supported when the host OS is booted from a VHD image. -4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 +4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280 - This indicates that the host OS is booted from a Windows To-Go device (USB key). Upgrade is not supported in the Windows To-Go environment. -5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90 +5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90 - This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state. Upgrade is not supported from this state. -6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B +6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B - This block indicates that the host OS is booted to Safe Mode, where upgrade is not supported. -7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1 +7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1 - This block is encountered when setup determines the system partition (where the boot loader files are stored) does not have enough space to be serviced with the newer boot files required during the upgrade process. -8. HardblockApplication - D6FBF046-5927-4FCD-B998-FE21CA7F6AC9 - - This rule indicates the host OS had one or more hard blocked applications that need to be uninstalled prior to continuing. This typically is only a problem when /Quiet is specified on the command line. -9. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B +8. CompatBlockedApplicationAutoUninstall – BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5 + - This rule indicates there is an application that needs to be uninstalled before setup can continue. +9. CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9 + - When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies “/compat /ignore warning”. This rule indicates setup was executed in /quiet mode but there is an application dismissible block message that have prevented setup from continuing. +10. CompatBlockedApplicationManualUninstall - 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4 + - This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing. This typically requires manual removal of the files associated with this application to continue. +11. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B - This indicates a device driver that is loaded on the host OS is not compatible with the newer OS version and needs to be removed prior to the upgrade. -10. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45 +12. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45 - This rule indicates the host OS and the target OS language editions do not match. -11. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8 +13. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8 - This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled. This will block the pre-release signed build from booting if installed on the machine. -12. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E +14. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E - This failure indicates the system ran out of disk space during the down-level operations of upgrade. -13. DiskSpaceFailure - 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191 +15. DiskSpaceFailure - 981DCBA5-B8D0-4BA7-A8AB-4030F7A10191 - This failure indicates the system drive ran out of available disk space at some point after the first reboot into the upgrade. -14. DeviceInstallHang - 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 +16. DeviceInstallHang - 37BB1C3A-4D79-40E8-A556-FDA126D40BC6 - This failure rule indicates the system hung or bug checked during the device installation phase of upgrade. -15. DebugSetupMemoryDump - C7C63D8A-C5F6-4255-8031-74597773C3C6 +17. DebugSetupMemoryDump - C7C63D8A-C5F6-4255-8031-74597773C3C6 - This offline only rule indicates a bug check occurred during setup. If the debugger tools are available on the system, SetupDiag will debug the memory dump and provide details. -16. DebugSetupCrash - CEEBA202-6F04-4BC3-84B8-7B99AED924B1 +18. DebugSetupCrash - CEEBA202-6F04-4BC3-84B8-7B99AED924B1 - This offline only rule indicates that setup itself encountered a failure that resulted in a process memory dump. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details. -17. DebugMemoryDump - 505ED489-329A-43F5-B467-FCAAF6A1264C +19. DebugMemoryDump - 505ED489-329A-43F5-B467-FCAAF6A1264C - This offline only rule is for any memory.dmp file that resulted during the setup/upgrade operation. If the debugger tools are installed on the system, SetupDiag will debug the memory dump and give further details. -18. FindDebugInfoFromRollbackLog - 9600EB68-1120-4A87-9FE9-3A4A70ACFC37 +20. BootFailureDetected - 4FB446C2-D4EC-40B4-97E2-67EB19D1CFB7 + - This rule indicates a boot failure occurred during a specific phase of the update. The rule will indicate the failure code and phase for diagnostic purposes. +21. FindDebugInfoFromRollbackLog - 9600EB68-1120-4A87-9FE9-3A4A70ACFC37 - This rule will determine and give details when a bug check occurs during the setup/upgrade process that resulted in a memory dump, but without the requirement of the debugger package being on the executing machine. -19. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC +22. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC - Finds fatal advanced installer operations that cause setup failures. -20. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E +23. FindMigApplyUnitFailure - A4232E11-4043-4A37-9BF4-5901C46FD781 + - Detects a migration unit failure that caused the update to fail. This rule will output the name of the migration plug-in as well as the error code it produced for diagnostic purposes. +24. FindMigGatherUnitFailure - D04C064B-CD77-4E64-96D6-D26F30B4EE29 + - Detects a migration gather unit failure that caused the update to fail. This rule will output the name of the gather unit/plug-in as well as the error code it produced for diagnostic purposes. +25. CriticalSafeOSDUFailure - 73566DF2-CA26-4073-B34C-C9BC70DBF043 + - This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update. It will indicate the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes. +26. UserProfileCreationFailureDuringOnlineApply - 678117CE-F6A9-40C5-BC9F-A22575C78B14 + - Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update. It will indicate the operation and error code associated with the failure for diagnostic purposes. +27. WimMountFailure - BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549 + - This rule indicates the update failed to mount a wim file. It will show the name of the wim file as well as the error message and error code associated with the failure for diagnostic purposes. +28. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E - Determines if the given setup was a success or not based off the logs. -21. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC +29. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC - Gives information about failures surfaced early in the upgrade process by setuphost.exe -22. FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55 +30. FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55 - Gives failure information surfaced by SetupPlatform, later in the down-level phase. -23. FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD +31. FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD - Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly. -24. FindSetupPlatformDownlevelFailure - 307A0133-F06B-4B75-AEA8-116C3B53C2D1 - - Gives last operation and phase failure information when Setup indicates a down-level failure. -25. FindSetupPlatformDownlevelFailedOperation - 087610ED-329A-4DE9-A54C-38A3A07B5B8B - - Gives last phase and error information when Setup indicates a down-level failure. -26. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48 +32. FindSetupPlatformFailedOperationInfo - 307A0133-F06B-4B75-AEA8-116C3B53C2D1 + - Gives last phase and error information when SetupPlatform indicates a critical failure. This rule will indicate the operation and error associated with the failure for diagnostic purposes. +33. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48 - Gives last operation, failure phase and error information when a rollback occurs. - +34. AdvancedInstallerGenericFailure – 4019550D-4CAA-45B0-A222-349C48E86F71 + - A rule to match AdvancedInstaller read/write failures in a generic sense. Will output the executable being called as well as the error code and exit code reported. +35. OptionalComponentFailedToGetOCsFromPackage – D012E2A2-99D8-4A8C-BBB2-088B92083D78 (NOTE: This rule replaces the OptionalComponentInstallFailure rule present in v1.10. + - This matches a specific Optional Component failure when attempting to enumerate components in a package. Will output the package name and error code. +36. OptionalComponentOpenPackageFailed – 22952520-EC89-4FBD-94E0-B67DF88347F6 + - Matches a specific Optional Component failure when attempting to open an OC package. Will output the package name and error code. +37. OptionalComponentInitCBSSessionFailed – 63340812-9252-45F3-A0F2-B2A4CA5E9317 + - Matches a specific failure where the advanced installer service or components aren’t operating or started on the system. Will output the error code. +38. UserProfileCreationFailureDuringFinalize – C6677BA6-2E53-4A88-B528-336D15ED1A64 + - Matches a specific User Profile creation error during the finalize phase of setup. Will output the failure code. +39. WimApplyExtractFailure – 746879E9-C9C5-488C-8D4B-0C811FF3A9A8 + - Matches a wim apply failure during wim extraction phases of setup. Will output the extension, path and error code. +40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2 + - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code. +41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636 + - Matches any plug in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. +42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC + - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. +43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9 + - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug in name, plug in action and error code. +44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 + - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code. ## Release notes -03/30/2018 - SetupDiag v1.00 released with 26 rules, as a standalone tool available from the Download Center. +07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center. + - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed. + +07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center. + - Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues. + - New feature: Ability to output logs in JSON and XML format. + - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic. + - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text. + - New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive. + - 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed. + +05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center. + - Fixed a bug in device install failure detection in online mode. + - Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost. + - Telemetry is refactored to only send the rule name and GUID (or “NoRuleMatched” if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing. + +05/02/2018 - SetupDiag v1.10 is released with 34 rules, as a standalone tool available from the Download Center. + - A performance enhancment has been added to result in faster rule processing. + - Rules output now includes links to support articles, if applicable. + - SetupDiag now provides the path and name of files that it is processing. + - You can now run SetupDiag by simply clicking on it and then examining the output log file. + - An output log file is now always created, whether or not a rule was matched. + +03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center. + +## Sample logs + +### Text log sample + +``` +Matching Profile found: OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 +System Information: + Machine Name = Offline + Manufacturer = MSI + Model = MS-7998 + HostOSArchitecture = x64 + FirmwareType = PCAT + BiosReleaseDate = 20160727000000.000000+000 + BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70 + BiosVersion = 1.70 + HostOSVersion = 10.0.15063 + HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834 + TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534) + HostOSLanguageId = 2057 + HostOSEdition = Core + RegisteredAV = Windows Defender, + FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo, + UpgradeStartTime = 3/21/2018 9:47:16 PM + UpgradeEndTime = 3/21/2018 10:02:40 PM + UpgradeElapsedTime = 00:15:24 + ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde + +Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F +Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again. +Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015 +Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information. +``` + +### XML log sample + +``` + + + 1.3.0.0 + DiskSpaceBlockInDownLevel + 6080AFAC-892E-4903-94EA-7A17E69E549E + + Offline + Microsoft Corporation + Virtual Machine + x64 + UEFI + 20171012000000.000000+000 + Hyper-V UEFI Release v2.5 + Hyper-V UEFI Release v2.5 + 10.0.14393 + 14393.1794.amd64fre.rs1_release.171008-1615 + 10.0.16299.15 (rs3_release.170928-1534) + 1033 + Core + + + 2017-12-21T12:56:22 + + 2017-12-21T13:22:46 + 0001-01-01T00:00:00 + 0001-01-01T00:00:00 + + Offline + 06600fcd-acc0-40e4-b7f8-bb984dc8d05a + 06600fcd-acc0-40e4-b7f8-bb984dc8d05a + + Warning: Found Disk Space Hard Block. + You must free up at least "6603" MB of space on the System Drive, and try again. + +``` + +### JSON log sample + +``` +{"Version":"1.3.0.0","ProfileName":"DiskSpaceBlockInDownLevel","ProfileGuid":"6080AFAC-892E-4903-94EA-7A17E69E549E","SystemInfo":{"BiosReleaseDate":"20171012000000.000000+000","BiosVendor":"Hyper-V UEFI Release v2.5","BiosVersion":"Hyper-V UEFI Release v2.5","CV":null,"CommercialId":"Offline","FilterDrivers":"","FirmwareType":"UEFI","HostOSArchitecture":"x64","HostOSBuildString":"14393.1794.amd64fre.rs1_release.171008-1615","HostOSEdition":"Core","HostOSLanguageId":"1033","HostOSVersion":"10.0.14393","MachineName":"Offline","Manufacturer":"Microsoft Corporation","Model":"Virtual Machine","RegisteredAV":"","ReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","RollbackElapsedTime":"PT0S","RollbackEndTime":"\/Date(-62135568000000-0800)\/","RollbackStartTime":"\/Date(-62135568000000-0800)\/","SDMode":1,"SetupReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","TargetOSArchitecture":null,"TargetOSBuildString":"10.0.16299.15 (rs3_release.170928-1534)","UpgradeElapsedTime":"PT26M24S","UpgradeEndTime":"\/Date(1513891366000-0800)\/","UpgradeStartTime":"\/Date(1513889782000-0800)\/"},"FailureData":["Warning: Found Disk Space Hard Block."],"DeviceDriverInfo":null,"Remediation":["You must free up at least \"6603\" MB of space on the System Drive, and try again."]} +``` ## Related topics diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 32eddd5c45..e856e35e36 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.date: 03/16/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # Submit Windows 10 upgrade errors using Feedback Hub diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index 9ebd8766d6..c738d3a1cf 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.date: 03/30/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # Troubleshooting upgrade errors diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index cdd4fe37c9..84185caa92 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.date: 03/30/2018 -ms.localizationpriority: high +ms.localizationpriority: medium --- # Upgrade error codes @@ -37,7 +37,19 @@ Note: If only a result code is returned, this can be because a tool is being use >A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
                  To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. -Result codes can be matched to the type of error encountered. To match a result code to an error: +The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: + +| Result code | Message | Description | +| --- | --- | --- | +| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | +| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | +| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | +| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | +| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | + +A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procudures](resolution-procedures.md#modern-setup-errors) topic in this article. + +Other result codes can be matched to the specific type of error encountered. To match a result code to an error: 1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit:
                  **8** = Win32 error code (ex: 0x**8**0070070) diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 5594afcec8..80369e62f5 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -2,25 +2,62 @@ title: Upgrade Readiness - Additional insights description: Explains additional features of Upgrade Readiness. ms.prod: w10 -author: greg-lindsay -ms.date: 10/26/2017 +author: jaimeo +ms.date: 07/02/2018 --- # Upgrade Readiness - Additional insights This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: +- [Spectre and Meltdown protections](#spectre-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities. - [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer. - [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers. +## Spectre and Meltdown protection status +Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take. + +Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities: +- Verify that you are running a supported antivirus application. +- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates. +- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s). + +Upgrade Readiness reports on status of your devices in these three areas. + +![Spectre-Meltdown protection blades](../images/spectre-meltdown-prod-closeup.png) + +>[!IMPORTANT] +>To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.) + +### Anti-virus status blade +This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices. + +![Spectre-Meltdown antivirus blade](../images/AV-status-by-computer.png) + +### Security update status blade +This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled. + +![Spectre-Meltdown antivirus blade](../images/win-security-update-status-by-computer.png) + +>[!IMPORTANT] +>If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint. + +### Firmware update status blade +This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part. + + + + ## Site discovery -The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. +The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. > [!NOTE] > Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. -[In order to use site discovery, a separate opt-in is required; see Enrolling] +>IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. + +In order to use site discovery, a separate opt-in is required; see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). ### Review most active sites @@ -52,4 +89,4 @@ Office add-ins provides a list of the Microsoft Office add-ins in your environme ## Related topics -[Upgrade Readiness release notes](upgrade-readiness-release-notes.md) +[Upgrade Readiness release notes](upgrade-readiness-release-notes.md) \ No newline at end of file diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 7b45c2ed1b..774f54ce73 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -5,8 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: greg-lindsay -ms.date: 10/11/2017 +author: jaimeo +ms.date: 05/31/2018 --- # Upgrade Readiness deployment script @@ -146,20 +146,19 @@ The deployment script displays the following exit codes to let you know if it wa **Http Get** on the end points did not return a success exit code.
                  For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.
                  For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. -
                  If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). - +
                  If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) 13 - Can’t connect to Microsoft - setting. - An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. + An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. 14 14 - Can’t connect to Microsoft - compatexchange. - An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). + An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). 15 - Function CheckVortexConnectivity failed with an unexpected exception. - This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult. + This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. 16 - The computer requires a reboot before running the script. @@ -203,11 +202,7 @@ The deployment script displays the following exit codes to let you know if it wa 25 - The function **SetIEDataOptIn** failed with unexpected exception. Check the logs for the exception message and HResult. - - 26 - The operating system is Server or LTSB SKU. - The script does not support Server or LTSB SKUs. - - + 27 - The script is not running under **System** account. The Upgrade Readiness configuration script must be run as **System**. @@ -234,7 +229,7 @@ The deployment script displays the following exit codes to let you know if it wa 32 - Appraiser version on the machine is outdated. - The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1. + The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. 33 - **CompatTelRunner.exe** exited with an exit code diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 8468224bf5..c7e84fc03b 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -1,12 +1,15 @@ --- title: Get started with Upgrade Readiness (Windows 10) description: Explains how to get started with Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo -ms.date: 03/20/2018 +ms.author: jaimeo +ms.date: 06/12/2018 +ms.localizationpriority: medium --- # Get started with Upgrade Readiness @@ -32,7 +35,7 @@ When you are ready to begin using Upgrade Readiness, perform the following steps To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information. -## Add Upgrade Readiness to Operations Management Suite +## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). @@ -41,11 +44,14 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. -If you are not using OMS: +>[!NOTE] +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace. -1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and select **New Customers >** to start the process. -2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. -3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. +If you are not using OMS or Azure Log Analytics: + +1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. +2. Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. +3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. 4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens. diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 2c73760c08..6e85f14d18 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -1,9 +1,12 @@ --- title: Upgrade Readiness requirements (Windows 10) description: Provides requirements for Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, ms.prod: w10 author: jaimeo -ms.date: 03/15/2018 +ms.author: +ms.date: 06/12/2018 +ms.localizationpriority: medium --- # Upgrade Readiness requirements @@ -18,7 +21,7 @@ To perform an in-place upgrade, user computers must be running the latest versio The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility. - + If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. @@ -29,19 +32,20 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1 ### Windows 10 Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. -The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). +The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). -While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. +While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. -## Operations Management Suite +## Operations Management Suite or Azure Log Analytics -Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premises and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). -If you’re already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solution’s details page. Upgrade Readiness is now visible in your workspace. +If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. -If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Readiness solution to it. +If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. -Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. +>[!IMPORTANT] +>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. ## System Center Configuration Manager integration diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 58ffa25e69..3f049881af 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -1,9 +1,12 @@ --- title: Upgrade Readiness - Resolve application and driver issues (Windows 10) description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, ms.prod: w10 author: jaimeo +ms.author: jaimeo ms.date: 08/31/2017 +ms.localizationpriority: medium --- # Upgrade Readiness - Step 2: Resolve app and driver issues @@ -46,7 +49,7 @@ To change an application's upgrade decision: 1. Select **Decide upgrade readiness** to view applications with issues. 2. In the table view, select an **UpgradeDecision** value. 3. Select **Decide upgrade readiness** to change the upgrade decision for each application. -4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list. +4. Select the applications you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. 5. Click **Save** when finished. IMPORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md new file mode 100644 index 0000000000..a44c405280 --- /dev/null +++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md @@ -0,0 +1,57 @@ +--- +title: Upgrade Readiness - Targeting a new operating system version +description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor +ms.prod: w10 +author: jaimeo +ms.date: 05/31/2018 +--- + +# Targeting a new operating system version + +After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: + +## TestResults + +If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do. + +If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"` + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **TestResult** to *Not started*. Leave all other fields as they are. + +## UpgradeDecision + +If you want to preserve the UpgradeDecision from the previous operating system version testing, there is nothing you need to do. + +If you want to reset them, keep these important points in mind: + +- Make sure to *not* reset the **Ready to upgrade** decision for the "long tail" of apps that have importance of **Ignore** or **Low install count**. Doing this will make it extremely difficult to complete the Upgrade Readiness workflow. +- Decide which decisions to reset. For example, one option is just to reset the decisions marked **Ready to upgrade** (in order to retest those), while preserving states of apps marked **Won't upgrade**. Doing this means you won't lose track of this previous marking. Or you can reset everything. + +To do this, type the following query in **Log Search**: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count" and UpgradeDecision == "Ready to upgrade"` + +>[!NOTE] +>If you just want to reset all **UpgradeDecision** values, you can simply remove `'and UpgradeDecision == "Ready to upgrade"` from the query. + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **UpgradeDecision** to *Not reviewed*. Leave all other fields as they are. + + +## Bulk-approving apps from a given vendor + +You can bulk-approve all apps from a given vendor (for example, Microsoft) if there are no known compatibility issues. To do this, type the following query in **Log Search**: + +`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and AppVendor has "Microsoft" and UpgradeAssessment=="No known issues" and UpgradeDecision<>"Ready to upgrade"` + +After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit" button**, and then set the **UpgradeDecision** to *Ready to upgrade*. Leave all other fields as they are. + +## Related topics + +[Windows Analytics overview](../update/windows-analytics-overview.md) + +[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) + +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md) + diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 68f4b268ec..8bc47524c0 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -4,7 +4,7 @@ description: The simplest path to upgrade PCs currently running Windows 7, Wind ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 keywords: upgrade, update, task sequence, deploy ms.prod: w10 -ms.localizationpriority: high +ms.localizationpriority: medium ms.mktglfcycl: deploy author: mtniehaus ms.date: 07/27/2017 @@ -107,13 +107,13 @@ Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequ After the task sequence finishes, the computer will be fully upgraded to Windows 10. -## Upgrade to Windows 10 with the next version of System Center Configuration Manager +## Upgrade to Windows 10 with System Center Configuration Manager Current Branch -With the next release of System Center Configuration Manager (currently planned for Q4 of 2015), new built-in functionality will be provided to make it even easier to upgrade existing Windows 7, Windows 8, and Windows 8.1 PCs to Windows 10. +With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10. **Note**   -For more details about the next version of Configuration Manager, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released. +For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.   @@ -139,7 +139,7 @@ To create an upgrade task sequence, perform the following steps: ![figure 3](../images/upgradecfg-fig3-upgrade.png) -Figure 3. The Configuration Manager vNext upgrade task sequence. +Figure 3. The Configuration Manager upgrade task sequence. ### Create a device collection @@ -190,7 +190,7 @@ In this section, you create a deployment for the Windows 10 Enterprise x64 Upda In this section, you start the Windows 10 Upgrade task sequence on PC0003 (currently running Windows 7 SP1). 1. On PC0003, start the **Software Center**. -2. Select the **Windows vNext Upgrade** task sequence, and then click **Install.** +2. Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.** When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 33606a3b67..596c5c9540 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -5,7 +5,7 @@ ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt author: mtniehaus diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md index 2b4648d629..9677c6128d 100644 --- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md @@ -4,7 +4,7 @@ description: This article describes how to upgrade eligible Windows Phone 8.1 de keywords: upgrade, update, windows, phone, windows 10, mdm, mobile ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt author: Jamiejdt diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index f0f332312c..97bc60f3d0 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -1,9 +1,12 @@ --- title: Use Upgrade Readiness to manage Windows upgrades (Windows 10) description: Describes how to use Upgrade Readiness to manage Windows upgrades. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.localizationpriority: medium ms.prod: w10 author: jaimeo -ms.date: 08/30/2017 +ms.author: jaimeo +ms.date: 07/31/2018 --- # Use Upgrade Readiness to manage Windows upgrades @@ -19,7 +22,7 @@ When you are ready to begin the upgrade process, a workflow is provided to guide Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. ->**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). +>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). The following information and workflow is provided: @@ -38,11 +41,11 @@ The target version setting is used to evaluate the number of computers that are ![Upgrade overview showing target version](../images/ur-target-version.png) -As mentioned previously, the default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. +The default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. -You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, and Windows 10 version 1703. +You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709 and Windows 10 version 1803. To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: diff --git a/windows/deployment/upgrade/windows-10-downgrade-paths.md b/windows/deployment/upgrade/windows-10-downgrade-paths.md deleted file mode 100644 index d095a3d449..0000000000 --- a/windows/deployment/upgrade/windows-10-downgrade-paths.md +++ /dev/null @@ -1,160 +0,0 @@ ---- -title: Windows 10 downgrade paths (Windows 10) -description: You can downgrade Windows 10 if the downgrade path is supported. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: high -ms.pagetype: mobile -author: greg-lindsay -ms.date: 02/15/2018 ---- - -# Windows 10 downgrade paths -**Applies to** - -- Windows 10 - -## Downgrading Windows 10 - -This topic provides a summary of supported Windows 10 downgrade paths. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired. - -If a downgrade is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required. - -To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md). - -Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not supported, unless you are performing a rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. - ->**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. - ->**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown below. - -### Supported Windows 10 downgrade paths - ->[!NOTE] ->Edition changes that are considered upgrades (Ex: Pro to Enterprise) are not shown here. Switching between different editions of Pro is supported. This is not strictly considered an edition downgrade, but is included here for clarity. - -✔ = Supported downgrade path
                  - -
                  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                  Destination edition
                        HomeProPro for WorkstationsPro EducationSEducationEnterprise LTSCEnterprise
                  Starting edition
                  Home
                  Pro
                  Pro for Workstations
                  Pro Education
                  S
                  Education
                  Enterprise LTSC
                  Enterprise
                  - - -## Related Topics - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
                  -[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
                  -[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
                  -[Windows 10 upgrade paths](windows-10-upgrade-paths.md) - - - - - diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index f46f0eb146..f0f9e52ba2 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -4,11 +4,11 @@ description: With Windows 10, you can quickly upgrade from one edition of Windo ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mobile author: greg-lindsay -ms.date: 02/9/2018 +ms.date: 07/06/2018 --- # Windows 10 edition upgrade @@ -18,13 +18,15 @@ ms.date: 02/9/2018 - Windows 10 - Windows 10 Mobile -With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). +With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page. + +For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](http://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. ![not supported](../images/x_blk.png) (X) = not supported
                  ![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
                  -![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required +![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
                  - + diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index e5f757a0fc..1abe679c9e 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security, mobile -ms.localizationpriority: high +ms.localizationpriority: medium author: AMeeus ms.date: 10/13/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md index bf20b8965c..d0e001795a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt +author: andreabichsel +ms.author: v-anbic ms.date: 09/12/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 8669970d58..16ef07c3fd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt +author: andreabichsel +ms.author: v-anbic ms.date: 08/26/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 771d56a805..77cc805406 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/10/2018 --- @@ -38,9 +38,7 @@ To configure the Group Policy settings described in the following table: 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. @@ -70,11 +68,9 @@ See [How to create and deploy antimalware policies: Scan settings]( https://docs **Use Microsoft Intune to configure scanning options** +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan options](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#specify-scan-options-settings) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. - - ### Email scanning limitations diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 7efd232814..d5bdf282dc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -11,18 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 02/08/2018 +ms.date: 05/02/2018 --- - - - - # Enable the Block at First Sight feature **Applies to** -- Windows 10, version 1703 +- Windows 10, version 1703 and later **Audience** @@ -30,6 +26,7 @@ ms.date: 02/08/2018 **Manageability available with** +- Intune - Group Policy - Windows Defender Security Center app @@ -54,9 +51,9 @@ You can also [customize the message displayed on users' desktops](https://docs.m When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. -The Block at First Sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. +In Windows 10, version 1803, the Block at First Sight feature can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. - +The Block at First Sight feature only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. @@ -67,15 +64,30 @@ In many cases this process can reduce the response time for new malware from hou Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender AV deployments in enterprise networks. +### Confirm Block at First Sight is enabled with Intune + +1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. + + > [!NOTE] + > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. + +2. Verify these settings are configured as follows: + + - **Cloud-delivered protection**: **Enable** + - **File Blocking Level**: **High** + - **Time extension for file scanning by the cloud**: **50** + - **Prompt users before sample submission**: **Send all data without prompting** + +For more information about configuring Windows Defender AV device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). + +For a list of Windows Defender AV device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus). ### Confirm Block at First Sight is enabled with Group Policy 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies: @@ -113,7 +125,7 @@ The feature is automatically enabled as long as **Cloud-based protection** and * 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: -![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) + ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. @@ -137,9 +149,7 @@ You may choose to disable the Block at First Sight feature if you want to retain 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md index b3a7c51466..247e68bc23 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Configure the cloud block timeout period @@ -20,7 +20,7 @@ ms.date: 08/26/2017 **Applies to:** -- Windows 10, version 1703 +- Windows 10, version 1703 and later **Audience** @@ -53,9 +53,7 @@ You can use Group Policy to specify an extended timeout for cloud checks. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration**. - -3. Click **Policies** then **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 4. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md index 4b2e00bfec..8ff899a974 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt +author: andreabichsel +ms.author: v-anbic ms.date: 08/26/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index 761ad06d6b..ce689900bf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt +author: andreabichsel +ms.author: v-anbic ms.date: 07/27/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 65858fabe3..9381eb05f6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/07/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/10/2018 --- # Configure and validate exclusions based on file extension and folder location @@ -97,9 +97,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. @@ -188,8 +186,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// **Use Microsoft Intune to configure file name, folder, or file extension exclusions:** - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index e84172c1e3..55f4c3f930 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/17/2018 +ms.date: 04/30/2018 --- # Prevent or allow users to locally modify Windows Defender AV policy settings @@ -45,9 +45,7 @@ To configure these settings: 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. @@ -89,9 +87,7 @@ You can disable this setting to ensure that only globally defined lists (such as 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 2de4642ade..b4751e5cad 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/04/2018 +ms.date: 04/30/2018 --- # Configure and validate network connections for Windows Defender Antivirus @@ -19,7 +19,7 @@ ms.date: 04/04/2018 **Applies to:** -- Windows 10 (some instructions are only applicable for Windows 10, version 1703) +- Windows 10 (some instructions are only applicable for Windows 10, version 1703 or later) **Audience** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 39660adda8..060372f38b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -9,16 +9,16 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/31/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Configure the notifications that appear on endpoints **Applies to:** -- Windows 10, version 1703 +- Windows 10, version 1703 and later **Audience** @@ -63,7 +63,7 @@ You can configure the display of additional notifications, such as recent threat 3. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +4. Click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. @@ -88,9 +88,7 @@ See the [Customize the Windows Defender Security Center app for your organizatio 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. @@ -102,7 +100,7 @@ See the [Customize the Windows Defender Security Center app for your organizatio 3. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +4. Click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 7ec2957bda..43501a9510 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 07/27/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/10/2018 --- # Configure exclusions for files opened by processes @@ -71,9 +71,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. @@ -144,8 +142,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// **Use Microsoft Intune to exclude files that have been opened by specified processes from scans:** - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:** @@ -175,7 +172,7 @@ Environment variables | The defined variable will be populated as a path when th ## Review the list of exclusions -You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md index 12b87815c2..8eaf0cfc8f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt +author: andreabichsel +ms.author: v-anbic ms.date: 08/26/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index ab4cd78ac7..d97f720028 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- @@ -50,9 +50,7 @@ To configure these settings: 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. @@ -87,9 +85,7 @@ The main real-time protection capability is enabled by default, but you can disa 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 8fbf0984c3..c409e9402c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/10/2018 --- @@ -35,7 +35,7 @@ ms.date: 08/26/2017 When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. -This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-default-actions-settings). +This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) to configure these settings. @@ -47,9 +47,7 @@ To configure these settings: 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index ed4fbd000f..1b9179c6b3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 07/27/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/17/2018 --- # Configure exclusions in Windows Defender AV on Windows Server @@ -55,15 +55,16 @@ In Windows Server 2016 the predefined exclusions delivered by definition updates > [!WARNING] > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles. +> [!NOTE] +> This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions. + You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI. **Use Group Policy to disable the auto-exclusions list on Windows Server 2016:** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. @@ -91,9 +92,6 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) - - - ## List of automatic exclusions The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index 878ec50fed..ecc4190de1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt +author: andreabichsel +ms.author: v-anbic ms.date: 08/26/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index ca162858e4..5c57af4d4c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt +author: andreabichsel +ms.author: v-anbic ms.date: 08/26/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index b93c8c5f55..12275ec64d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/19/2018 --- # Deploy, manage, and report on Windows Defender Antivirus @@ -41,13 +41,13 @@ You'll also see additional links for: Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] -Microsoft Intune|[Deploy the Microsoft Intune client to endpoints][]|Use and deploy a [custom Intune policy][] and use the Intune console to [manage tasks][]|[Monitor endpoint protection in the Microsoft Intune administration console][] +Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/en-us/intune/device-management) Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][] Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref2) +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) 2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index 9984525b5e..dbd8572db4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Deploy and enable Windows Defender Antivirus diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index a45301b39d..41343abb5c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 9f225964af..fa6dae36c3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: detect ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/10/2018 --- # Detect and block Potentially Unwanted Applications @@ -107,8 +107,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Intune to configure the PUA protection feature** -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. - +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 24b6f61d0a..da5b515967 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/10/2018 --- # Enable cloud-delivered protection in Windows Defender AV @@ -57,7 +57,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca 3. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +4. Click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** @@ -108,25 +108,22 @@ See the following for more information and allowed parameters: **Use Intune to enable cloud-delivered protection** -1. Open the [Microsoft Intune administration console](https://manage.microsoft.com/), and navigate to the associated policy you want to configure. -2. Under the **Endpoint Protection** setting, scroll down to the **Endpoint Protection Service** section set the **Submit files automatically when further analysis is required** setting to either of the following: - 1. **Send samples automatically** - 1. **Send all samples automatically** +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **All services > Intune**. +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +5. On the **Cloud-delivered protection** switch, select **Enable**. +6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. +7. In the **Submit samples consent** dropdown, select one of the following: + 1. **Send safe samples automatically** + 2. **Send all samples automatically** > [!WARNING] > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. -5. Scroll down to the **Microsoft Active Protection Service** section and set the following settings: - - Setting | Set to - --|-- - Join Microsoft Active Protection Service | Yes - Membership level | Advanced - Receive dynamic definitions based on Microsoft Active Protection Service reports | Yes +8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. + +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) -3. Save and [deploy the policy as usual](https://docs.microsoft.com/en-us/intune/deploy-use/common-windows-pc-management-tasks-with-the-microsoft-intune-computer-client). - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) for more details. - **Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app** > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md index 2636c7abd9..225ea553da 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Evaluate Windows Defender Antivirus protection @@ -19,7 +19,7 @@ ms.date: 11/20/2017 **Applies to:** -- Windows 10, version 1703 +- Windows 10, version 1703 and later **Audience** diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png index 854e2b209d..f55eea0b2c 100644 Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png and b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png index 42864aafbb..85c2948477 100644 Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png and b/windows/security/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md index 78f6f1e33e..d0d4cfd9db 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/16/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows 10, version 1703 +- Windows 10, version 1703 and later **Audience** @@ -39,6 +39,7 @@ Limited periodic scanning is a special type of threat detection and remediation It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products. +**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the capabilities of Windows Defender Antivirus to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. ## How to enable limited periodic scanning @@ -69,4 +70,4 @@ Sliding the swtich to **On** will show the standard Windows Defender AV options ## Related topics - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index e5cf0f54e3..a15ae25596 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Manage event-based forced updates diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 8095eff3ae..00b1ed1c2f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Manage updates and scans for endpoints that are out of date diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index 968e10782b..650a73dafb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Manage the schedule for when protection updates should be downloaded and applied diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index 2d2614358f..5eab19050c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Manage the sources for Windows Defender Antivirus protection updates diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index d282a66fb9..99051e2f5f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Manage Windows Defender Antivirus updates and apply baselines diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index ae9fbfef91..de30dd760f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Manage updates for mobile devices and virtual machines (VMs) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index 6142a3aa14..d0306388a6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Prevent users from seeing or interacting with the Windows Defender AV user interface @@ -56,7 +56,7 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl 3. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +4. Click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. @@ -76,7 +76,7 @@ You can prevent users from pausing scans. This can be helpful to ensure schedule 3. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +4. Click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 2d59eb2f93..79696c63e9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/10/2018 --- # Report on Windows Defender Antivirus protection @@ -28,7 +28,7 @@ There are a number of ways you can review protection status and alerts, dependin -You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection). +You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index fcf92cbd9d..151f4e6a10 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/10/2018 --- # Review Windows Defender AV scan results @@ -83,7 +83,9 @@ Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**] **Use Microsoft Intune to review Windows Defender AV scan results:** -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Monitor Endpoint Protection](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection). +1. In Intune, go to **Devices > All Devices** and select the device you want to scan. + +2. Click the scan results in **Device actions status**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 3ba6851fdc..4aa2447988 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/10/2018 --- @@ -98,8 +98,9 @@ See the following for more information and allowed parameters: **Use Microsoft Intune to run a scan:** +1. In Intune, go to **Devices > All Devices** and select the device you want to scan. -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Run a malware scan](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#run-a-malware-scan-or-update-malware-definitions-on-a-computer) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. +2. Select **...More** and then select **Quick Scan** or **Full Scan**. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index 1675810808..8e4b44e881 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/30/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/26/2018 --- @@ -43,7 +43,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-windows-d You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intunespecify-scan-schedule-settings). +This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). To configure the Group Policy settings described in this topic: @@ -51,7 +51,7 @@ To configure the Group Policy settings described in this topic: 3. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +4. Click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. @@ -83,8 +83,8 @@ Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Scan | Specify the scan type to use for a scheduled scan | Quick scan Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never -Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am -Root | Randomize scheduled task times | Randomize the start time of the scan to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments | Enabled +Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am +Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender scans. This can be useful in VM or VDI deployments. | Enabled **Use PowerShell cmdlets to schedule scans:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index c938860d27..b2b7a4640f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/19/2018 --- # Specify the cloud-delivered protection level @@ -20,7 +20,7 @@ ms.date: 08/26/2017 **Applies to:** -- Windows 10, version 1703 +- Windows 10, version 1703 and later **Audience** @@ -30,6 +30,7 @@ ms.date: 08/26/2017 - Group Policy - System Center Configuration Manager (current branch) +- Intune You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. @@ -44,7 +45,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi 3. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +4. Click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**. @@ -59,7 +60,25 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi 1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +**Use Intune to specify the level of cloud-delivered protection:** +1. Sign in to the [Azure portal](https://portal.azure.com). +2. Select **All services > Intune**. +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. +5. On the **File Blocking Level** switch, select one of the following: + + 1. **High** to provide a strong level of detection + 2. **High +** to apply additional protection measures + 3. **Zero tolerance** to block all unknown executables + + > [!WARNING] + > While unlikely, setting this switch to **High** might cause some legitimate files to be detected. The **High +** setting might impact client performance. We recommend you set this to the default level (**Not configured**). + +8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. + +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) + ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md index 0dd2646921..28d890360d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 09/12/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Troubleshoot Windows Defender Antivirus reporting in Update Compliance diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index 3b17d0a161..c71d3ab6c0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/16/2018 --- # Review event logs and error codes to troubleshoot issues with Windows Defender AV @@ -1377,6 +1377,60 @@ User action: No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis. + + +Event ID: 1151 + + +Symbolic name: + + +MALWAREPROTECTION_SERVICE_HEALTH_REPORT + + + + +Message: + + +Endpoint Protection client health report (time in UTC) + + + + + +Description: + + +Windows Defender client health report. +
                  +
                  Platform Version: <Current platform version>
                  +
                  Engine Version: <Antimalware Engine version>
                  +
                  Network Realtime Inspection engine version: <Network Realtime Inspection engine version>
                  +
                  Antivirus signature version: <Antivirus signature version>
                  +
                  Antispyware signature version: <Antispyware signature version>
                  +
                  Network Realtime Inspection signature version: <Network Realtime Inspection signature version>
                  +
                  RTP state: <Realtime protection state> (Enabled or Disabled)
                  +
                  OA state: <On Access state> (Enabled or Disabled)
                  +
                  IOAV state: <IE Downloads and Outlook Express Attachments state> (Enabled or Disabled)
                  +
                  BM state: <Behavior Monitoring state> (Enabled or Disabled)
                  +
                  Antivirus signature age: <Antivirus signature age> (in days)
                  +
                  Antispyware signature age: <Antispyware signature age> (in days)
                  +
                  Last quick scan age: <Last quick scan age> (in days)
                  +
                  Last full scan age: <Last full scan age> (in days)
                  +
                  Antivirus signature creation time: ?<Antivirus signature creation time>
                  +
                  Antispyware signature creation time: ?<Antispyware signature creation time>
                  +
                  Last quick scan start time: ?<Last quick scan start time>
                  +
                  Last quick scan end time: ?<Last quick scan end time>
                  +
                  Last quick scan source: <Last quick scan source> (1 = scheduled, 2 = on demand)
                  +
                  Last full scan start time: ?<Last full scan start time>
                  +
                  Last full scan end time: ?<Last full scan end time>
                  +
                  Last full scan source: <Last full scan source> (1 = scheduled, 2 = on demand)
                  +
                  Product status: For internal troubleshooting +
                  + + + Event ID: 2000 diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index cfcd2ef54f..f13977e93c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Use Group Policy settings to configure and manage Windows Defender AV @@ -28,7 +28,7 @@ In general, you can use the following procedure to configure or change Windows D 3. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +4. Click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index 80e0cb124d..403cf6a2e3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 07/19/2018 --- # Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV @@ -22,7 +22,7 @@ In some cases, the protection will be labeled as Endpoint Protection, although t See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. -For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). +For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/en-us/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 7f32a7cfe9..8a77b98ed5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt +author: andreabichsel +ms.author: v-anbic ms.date: 12/12/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md index 98a25ed21b..f8c35eb6c8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md @@ -9,8 +9,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt +author: andreabichsel +ms.author: v-anbic ms.date: 08/26/2017 --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index c4fb7fbc8c..fc5487d680 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/17/2018 +ms.date: 05/21/2018 --- # Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection **Applies to:** -- Windows 10, version 1703 +- Windows 10, version 1703 and later **Audience** @@ -42,7 +42,7 @@ To understand how next-gen technologies shorten protection delivery time through -Read the following blogposts for detailed protection stories involving cloud-protection and Microsoft AI: +Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI: - [Why Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/) - [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) @@ -54,6 +54,8 @@ Read the following blogposts for detailed protection stories involving cloud-pro Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies. +Organizations running Windows 10 E5, version 1803 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered protection on, we can deliver a fix for a malware issue via the cloud within minutes instead of waiting for the next update. + >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. @@ -61,12 +63,11 @@ Cloud-delivered protection is enabled by default. However, you may need to re-en The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager. -Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | Configuration manager 2012 | Configuration manager (current branch) | Microsoft Intune +Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | System Center Configuration Manager (Current Branch) | Microsoft Intune ---|---|---|---|---|---|--- Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version -Block at first sight availability | No | Yes | Yes | Not configurable | Configurable | No -Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | No +Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | Configurable You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates). @@ -79,4 +80,4 @@ You can also [configure Windows Defender AV to automatically receive new protect [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy. -[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy. \ No newline at end of file +[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index fb71bda388..db9fd10f0d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -68,12 +68,12 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]] +Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +If you are enrolled in Windows Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. -Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app. +Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app. In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. @@ -90,4 +90,4 @@ In passive and automatic disabled mode, you can still [manage updates for Window ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) \ No newline at end of file +- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 541ca154a0..ae39992504 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/17/2018 +ms.date: 04/30/2018 --- # Windows Defender Antivirus in Windows 10 and Windows Server 2016 @@ -49,6 +49,12 @@ Some of the highlights of Windows Defender AV include: >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking +## What's new in Windows 10, version 1803 + +- The [Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. +- The [Virus & threat protection area in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) now includes a section for Ransomware protection. It includes Controlled folder access settings and Ransomware recovery settings. + + ## What's new in Windows 10, version 1703 New features for Windows Defender AV in Windows 10, version 1703 include: @@ -60,9 +66,6 @@ We've expanded this documentation library to cover end-to-end deployment, manage - [Evaluation guide for Windows Defender AV](evaluate-windows-defender-antivirus.md) - [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md) -See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library. - - ## Minimum system requirements diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index c6efd499b0..c58ed524ef 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 08/26/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Run and review the results of a Windows Defender Offline scan @@ -19,7 +19,7 @@ ms.date: 08/26/2017 **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later **Audience** diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index af01e728aa..e7349b1a3f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -9,20 +9,16 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/02/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- - - - - # Windows Defender Antivirus in the Windows Defender Security Center app **Applies to** -- Windows 10, version 1703 +- Windows 10, version 1703 and later **Audience** @@ -33,12 +29,12 @@ ms.date: 10/02/2017 - Windows Defender Security Center app -In Windows 10, version 1703 (also known as the Creators Update), the Windows Defender app is now part of the Windows Defender Security Center. +In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Defender Security Center. Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703. > [!IMPORTANT] -> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. +> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. > [!WARNING] > If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. @@ -49,7 +45,7 @@ Settings that were previously part of the Windows Defender client and main Windo See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. >[!NOTE] ->The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +>The Windows Defender Security Center app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). **Review virus and threat protection settings in the Windows Defender Security Center app:** @@ -69,18 +65,18 @@ The following diagrams compare the location of settings and functions between th ![Windows Defender Antivirus in Windows 10, version 1703 and later](images/defender/wdav-wdsc.png) -Item | Windows 10, before version 1703 | Windows 10, version 1703 | Description +Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description ---|---|---|--- 1 | **Update** tab | **Protection updates** | Update the protection ("definition updates") 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan -5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 you can run custom and full scans under the **Advanced scan** option +5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option ## Common tasks -This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the new Windows Defender Security Center app. +This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Defender Security Center app. > [!NOTE] > If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured. @@ -91,9 +87,9 @@ This section describes how to perform some of the most common tasks when reviewi 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). -3. Click **Quick scan**. +3. Click **Scan now**. -4. Click **Advanced scan** to specify different types of scans, such as a full scan. +4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan. **Review the definition update version and download the latest updates in the Windows Defender Security Center app** @@ -101,7 +97,7 @@ This section describes how to perform some of the most common tasks when reviewi 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). -3. Click **Protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version. +3. Click **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version. ![Definition version number information](images/defender/wdav-wdsc-defs.png) @@ -142,12 +138,21 @@ This section describes how to perform some of the most common tasks when reviewi 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). -3. Click **Scan history**. +3. Click **Threat history**. 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). - + +**Set ransomware protection and recovery options** +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). + +3. Click **Ransomware protection**. + +4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard). + +5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 6644912c09..1d9c033045 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -11,14 +11,16 @@ ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) ### [Types of devices](types-of-devices.md) -### [Use WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md) ###Use WDAC with custom policies #### [Create an initial default policy](create-initial-default-policy.md) #### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) -### [Deploy WDAC policies](deploy-windows-defender-application-control-policies-using-group-policy.md) +### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md) +### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) +### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) +### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) @@ -28,6 +30,7 @@ ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) #### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) +### [Device Guard and AppLocker](windows-defender-device-guard-and-applocker.md) ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 1af9eefb4c..d48aa2c008 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: brianlic-msft ms.date: 10/16/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index 58bfcf7ebb..3330eda208 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 09/21/2017 +ms.date: 06/08/2018 --- # Configure an AppLocker policy for audit only @@ -21,8 +21,6 @@ This topic for IT professionals describes how to set AppLocker policies to **Aud After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**. When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. - ->**Note:**  There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).   You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index ffbec0bb55..5ee0ccdb96 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 09/21/2017 +ms.date: 08/02/2018 --- # Delete an AppLocker rule @@ -16,7 +16,7 @@ ms.date: 09/21/2017 - Windows 10 - Windows Server -This topic for IT professionals describes the steps to delete an AppLocker rule. +This topic for IT professionals describes the steps to delete an AppLocker rule. As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running. @@ -25,6 +25,8 @@ For info about testing an AppLocker policy to see what rules affect which files You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). +These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy will not override those settings. + **To delete a rule in an AppLocker policy** 1. Open the AppLocker console. @@ -43,6 +45,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML       + To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 846cc26a49..70eb43cab4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: brianlic-msft ms.date: 09/21/2017 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index c7ccf71667..f2d785d66a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Audit Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 3c1bd40618..ce654afdd8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Create a Windows Defender Application Control policy from a reference computer diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md new file mode 100644 index 0000000000..2012791205 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -0,0 +1,33 @@ +--- +title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10) +description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: justinha +ms.date: 05/17/2018 +--- + +# Deploy Windows Defender Application Control policies by using Microsoft Intune + +**Applies to:** + +- Windows 10 +- Windows Server 2016 + +You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. + +1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. + +3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. + + ![Configure profile](images\wdac-intune-create-profile-name.png) + +4. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**: + + - **Application control code intergity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run. + - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps. + + ![Configure WDAC](images\wdac-intune-wdac-settings.png) diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index b81a9aacaa..188693edf8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Disable Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 9d87450308..3315c79715 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Enforce Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png new file mode 100644 index 0000000000..1b5483103b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png new file mode 100644 index 0000000000..55f5173b03 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 4437fc78ee..718fc4a51c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Manage packaged apps with Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index eb35054956..8e2c628037 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Merge Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index ca85529b51..1aec53e4ed 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -4,9 +4,9 @@ description: To help you plan and begin the initial test stages of a deployment keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 07/16/2018 --- # Microsoft recommended block rules @@ -59,6 +59,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Alex Ionescu | @aionescu| |Lee Christensen|@tifkin_| |Vladas Bulavas | Kaspersky Lab | +|Lasse Trolle Borup | Langkjaer Cyber Defence |
                  @@ -77,32 +78,32 @@ For October 2017, we are announcing an update to system.management.automation.dl Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: -``` - -- +```xml + + 10.0.0.0 {A244370E-44C9-4C06-B551-F6016E563076} {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} -- -- + + -- + -- + -- + -- -- -- + @@ -132,6 +133,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -159,7 +161,7 @@ Microsoft recommends that you block the following Microsoft-signed applications -- @@ -382,104 +384,407 @@ Microsoft recommends that you block the following Microsoft-signed applications - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + + + + + -- -- -- -- -- -- + + + + -- -- -- + + + @@ -508,6 +813,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -794,7 +1100,305 @@ Microsoft recommends that you block the following Microsoft-signed applications - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 3f8d489fb7..8c0a834285 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -4,7 +4,7 @@ description: Typically, deployment of Windows Defender Application Control happe keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium author: brianlic-msft ms.date: 03/01/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 0148e43cae..d973298558 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -43,7 +43,7 @@ You might need to control a limited number of apps because they access sensitive |Control only Classic Windows applications, only Universal Windows apps, or both| WDAC policies control apps by creating an allowed list of apps based on code signing certificate and\or file hash information. Because Universal Windows apps are all signed by the Windows Store, Classic Windows applications and Universal Windows apps can be controlled together. WDAC policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with WDAC on Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.| | Control apps by business group | WDAC policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). | | Control apps by computer, not user | WDAC is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your WDAC planning. Otherwise, you will have to identify users, their computers, and their app access requirements.| -|Understand app usage, but there is no need to control any apps yet | WDAC policies can be set to audit app usage to help you track which apps are used in your organization. You can then use teh CodeIntegrity log in Event Viewer to create WDAC policies.| +|Understand app usage, but there is no need to control any apps yet | WDAC policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the CodeIntegrity log in Event Viewer to create WDAC policies.| ### How do you currently control app usage in your organization? @@ -135,4 +135,4 @@ Because the effectiveness of application control policies is dependent on the ab   ## Record your findings -The next step in the process is to record and analyze your answers to the preceding questions. If WDAC is the right solution for your goals, you can set your application control policy objectives and plan your WDAC rules. \ No newline at end of file +The next step in the process is to record and analyze your answers to the preceding questions. If WDAC is the right solution for your goals, you can set your application control policy objectives and plan your WDAC rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index 94fa8ec867..4b6482ac05 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Use code signing to simplify application control for classic Windows applications diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 34188e138e..27aca349ba 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Use signed policies to protect Windows Defender Application Control against tampering diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 7ca42368db..5e919a7437 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md new file mode 100644 index 0000000000..fb6831f17b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -0,0 +1,97 @@ +--- +title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10) +description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +author: mdsakibMSFT +ms.date: 06/14/2018 +--- + +# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph + +**Applies to:** + +- Windows 10 +- Windows Server 2016 + +Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. +In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task. + +Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as Intelligent Security Graph (ISG) authorization, that allows IT administrators to automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. The ISG option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. + +## How does the integration between WDAC and the Intelligent Security Graph work? + +The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision. + +After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification. + +The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot. + +>[!NOTE] +>Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both System Center Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines. + +Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). + +## Configuring Intelligent Security Graph authorization for Windows Defender Application Control + +Setting up the ISG authorization is easy regardless of what management solution you use. Configuring the ISG option involves these basic steps: + +- [Ensure that the ISG option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml) +- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client) + +### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML + +In order to enable trust for executables based on classifications in the ISG, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set. + +```code + + + + + + + + + + + + + + + + + + + + + + + +``` + +### Enable the necessary services to allow WDAC to use the ISG correctly on the client + +In order for the heuristics used by the ISG to function properly, a number of component in Windows need to be enabled. The easiest way to do this is to run the appidtel executable in c:\windows\system32. + +``` +appidtel start +``` + +For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required. + +## Security considerations with using the Intelligent Security Graph + +Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing. + +Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the ISG option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The ISG option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize. + +## Known limitations with using the Intelligent Security Graph + +Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG. + +Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. it is straightforward to authorize modern apps with signer rules in the WDAC policy. + +The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. + +In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index efb071bcb1..43d842fa8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -4,9 +4,9 @@ description: Explains how you can use a managed installer to automatically autho keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium author: mdsakibMSFT -ms.date: 03/01/2018 +ms.date: 06/13/2018 --- # Deploy Managed Installer for Windows Defender Application Control @@ -112,7 +112,7 @@ For example: ### Enable the managed installer option in WDAC policy -In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy. +In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy. This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). An example of the managed installer option being set in policy is shown below. @@ -135,6 +135,17 @@ An example of the managed installer option being set in policy is shown below. ``` +## Set the AppLocker filter driver to autostart + +To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it. +Run the following command as an Administrator: + +```code +appidtel.exe start [-mionly] +``` + +Specify `-mionly` if you will not use the Intelligent Security Graph (ISG). + ## Security considerations with managed installer diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index a4d05d50a0..0ebbc19cc4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -4,9 +4,9 @@ description: To help you plan and begin the initial test stages of a deployment keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/16/2018 --- # Planning and getting started on the Windows Defender Application Control deployment process @@ -60,5 +60,25 @@ This topic provides a roadmap for planning and getting started on the Windows De 8. Enable desired virtualization-based security (VBS) features. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control. - > [!WARNING] - > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). +## Known issues + +This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error). +Test this configuration in your lab before enabling it in production. + +### MSI Installations are blocked by WDAC + +Installing .msi files directly from the internet to a computer protected by WDAC will fail. +For example, this command will not work: + +```code +msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi +``` + +As a workaround, download the MSI file and run it locally: + + +```code +msiexec –i c:\temp\Windows10_Version_1511_ADMX.msi +``` + + diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 06f9907511..35710141ab 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -4,7 +4,7 @@ description: Microsoft Windows Defender Device Guard is a feature set that consi keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium author: brianlic-msft ms.date: 02/20/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 298f03c997..51bc9c068e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -6,9 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jsuther1974 -ms.date: 02/27/2018 +ms.date: 05/03/2018 --- # Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md new file mode 100644 index 0000000000..61c656fc0d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md @@ -0,0 +1,22 @@ +--- +title: Windows Defender Device Guard and AppLocker (Windows 10) +description: Explains how +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +author: jsuther1974 +ms.date: 05/03/2018 +--- + +# Windows Defender Device Guard with AppLocker + +Although [AppLocker](applocker/applocker-overview.md) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when Windows Defender Application Control (WDAC) cannot be fully implemented or its functionality does not cover every desired scenario. +There are many scenarios in which WDAC would be used alongside AppLocker rules. +As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. + +> [!NOTE] +> One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule. + +AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. +In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 5f5563cbb6..af72b5b90d 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -5,21 +5,22 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 10/19/2017 --- # Configure Windows Defender Application Guard policy settings -**Applies to:** -- Windows 10 Enterpise edition, version 1709 - Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. Application Guard uses both network isolation and application-specific settings. ### Network isolation settings + +**Applies to:** +- Windows 10 Enterpise edition, version 1709 or higher + These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. >[!NOTE] @@ -37,10 +38,10 @@ These settings, located at **Computer Configuration\Administrative Templates\Win |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
                  • Disable the clipboard functionality completely when Virtualization Security is enabled.
                  • Enable copying of certain content from Application Guard into Microsoft Edge.
                  • Enable copying of certain content from Microsoft Edge into Application Guard.

                    **Important**
                    Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
                  **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
                  • Enable Application Guard to print into the XPS format.
                  • Enable Application Guard to print into the PDF format.
                  • Enable Application Guard to print to locally attached printers.
                  • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
                  **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

                  **Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

                  **Disabled or not configured.** All user data within Application Guard is reset between sessions.

                  **Note**
                  If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
                  **To reset the container:**
                  1. Open a command-line program and navigate to Windows/System32.
                  2. Type `wdagtool.exe cleanup`.
                    The container environment is reset, retaining only the employee-generated data.
                  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
                    The container environment is reset, including discarding all employee-generated data.
                  | -|Turn on Windows Defender Application Guard in Enterprise Mode|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

                  **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| - - +|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

                  Windows 10 Professional, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
                  • Disable the clipboard functionality completely when Virtualization Security is enabled.
                  • Enable copying of certain content from Application Guard into Microsoft Edge.
                  • Enable copying of certain content from Microsoft Edge into Application Guard.

                    **Important**
                    Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
                  **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

                  Windows 10 Professional, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
                  • Enable Application Guard to print into the XPS format.
                  • Enable Application Guard to print into the PDF format.
                  • Enable Application Guard to print to locally attached printers.
                  • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
                  **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher

                  Windows 10 Professional, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

                  **Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

                  Windows 10 Professional, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

                  **Disabled or not configured.** All user data within Application Guard is reset between sessions.

                  **Note**
                  If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
                  **To reset the container:**
                  1. Open a command-line program and navigate to Windows/System32.
                  2. Type `wdagtool.exe cleanup`.
                    The container environment is reset, retaining only the employee-generated data.
                  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
                    The container environment is reset, including discarding all employee-generated data.
                  | +|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

                  **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

                  **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803

                  (experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

                    **Important**
                    Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

                  **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.

                  **Note**
                  This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 387b02dde9..dcea68cace 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -5,15 +5,16 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 11/07/2017 --- # Frequently asked questions - Windows Defender Application Guard **Applies to:** -- Windows 10 Enterpise edition, version 1709 +- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. @@ -31,7 +32,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A | | | |---|----------------------------| |**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| -|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.| +|**A:** |In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

                  In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
                  | | | @@ -50,3 +51,22 @@ Answering frequently asked questions about Windows Defender Application Guard (A |---|----------------------------| |**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?| |**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.| +
                  + +| | | +|---|----------------------------| +|**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?| +|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.| +
                  + +| | | +|---|----------------------------| +|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?| +|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature.| +
                  + +| | | +|---|----------------------------| +|**Q:** |What is the WDAGUtilityAccount local account?| +|**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.| +
                  diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-download.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-download.png new file mode 100644 index 0000000000..647fb7ab66 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-download.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-vgpu.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-vgpu.png new file mode 100644 index 0000000000..063275bdc2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-vgpu.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index c6bf82932c..037fb26536 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -5,22 +5,28 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 10/19/2017 --- -# Prepare and install Windows Defender Application Guard - -**Applies to:** -- Windows 10 Enterprise edition, version 1709 - ## Prepare to install Windows Defender Application Guard Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. -- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario. +**Standalone mode** -- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container. +Applies to: +- Windows 10 Enterprise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 + +Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario. + +**Enterprise-managed mode** + +Applies to: +- Windows 10 Enterprise edition, version 1709 or higher + +You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests tooad non-enterprise domain(s) in the container. The following diagram shows the flow between the host PC and the isolated container. ![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 7b79f26762..413a76b74a 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -5,15 +5,16 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 11/09/2017 --- # System requirements for Windows Defender Application Guard **Applies to:** -- Windows 10 Enterprise edition, version 1709 +- Windows 10 Enterprise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -27,7 +28,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio |--------|-----------| |64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

                  **-AND-**

                  One of the following virtualization extensions for VBS:

                  VT-x (Intel)

                  **-OR-**

                  AMD-V| -|Hardware memory|Microsoft recommends 8GB RAM for optimal performance| +|Hardware memory|Microsoft requires a minimum of 8GB RAM| |Hard disk|5 GB free space, solid state disk (SSD) recommended| |Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| @@ -36,6 +37,6 @@ Your environment needs the following software to run Windows Defender Applicatio |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709| +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
                  Windows 10 Professional edition, version 1803| |Browser|Microsoft Edge and Internet Explorer| -|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)

                  **-OR-**

                  [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)

                  **-OR-**

                  [Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)

                  **-OR-**

                  Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| +|Management system
                  (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)

                  **-OR-**

                  [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)

                  **-OR-**

                  [Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)

                  **-OR-**

                  Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 4e9d84ab90..cffffca2da 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -5,18 +5,19 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross +author: justinha +ms.author: justinha ms.date: 10/19/2017 --- # Testing scenarios using Windows Defender Application Guard in your business or organization -**Applies to:** -- Windows 10 Enterpise edition, version 1709 - We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization. +**Applies to:** +- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 + ## Application Guard in standalone mode You can see how an employee would use standalone mode with Application Guard. @@ -97,6 +98,10 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. +**Applies to:** +- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 + **To change the copy and paste options** 1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. @@ -152,3 +157,34 @@ You have the option to change each of these settings to work with your enterpris >[!NOTE] >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

                  If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

                  **To reset the container:**
                  1. Open a command-line program and navigate to Windows/System32.
                  2. Type `wdagtool.exe cleanup`.
                    The container environment is reset, retaining only the employee-generated data.
                  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
                    The container environment is reset, including discarding all employee-generated data.
                  + +**Applies to:** +- Windows 10 Enterpise edition, version 1803 +- Windows 10 Professional edition, version 1803 + +**To change the download options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting. + +2. Click **Enabled**. + + ![Group Policy editor Download options](images/appguard-gp-download.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + +4. Download a file from Windows Defender Application Guard. + +5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. + +**To change hardware acceleration options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting. + +2. Click **Enabled**. + + ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) + +3. Contact Microsoft for further information to fully enable this setting. + +4. Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. + +5. Assess the visual experience and battery performance. + diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 7e437ce4b1..0fb816ceab 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -5,9 +5,9 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.author: lizross -ms.date: 10/23/2017 +author: justinha +ms.author: justinha +ms.date: 07/09/2018 --- # Windows Defender Application Guard overview @@ -15,10 +15,8 @@ ms.date: 10/23/2017 **Applies to:** - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 - -The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. -Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. +Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. ## What is Application Guard and how does it work? Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index c46a4ebe2d..193fddfef8 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -1,4 +1,4 @@ -# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) +# [Windows Defender Security Center](windows-defender-security-center-atp.md) ##Get started ### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) ### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) @@ -7,6 +7,7 @@ ### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) ### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) ## [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) +### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md) ### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) #### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) #### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) @@ -20,7 +21,7 @@ ### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md) ### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) ### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) -## [Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) +## [Understand the portal](use-windows-defender-advanced-threat-protection.md) ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) ### [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) ### [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) @@ -71,11 +72,13 @@ ###### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) ###### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) -### [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md) ### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) #### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md) #### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) +## [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md) + +## [Protect data with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) ##API and SIEM support ### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) #### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) @@ -113,13 +116,13 @@ ###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) #####File -###### [Block file API](block-file-windows-defender-advanced-threat-protection.md) +###### [Block file](block-file-windows-defender-advanced-threat-protection.md) ###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md) ###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md) ###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md) ###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md) -###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md) -###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md) +###### [Get FileActions collection](get-fileactions-collection-windows-defender-advanced-threat-protection.md) +###### [Unblock file](unblock-file-windows-defender-advanced-threat-protection.md) #####IP ###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md) @@ -127,25 +130,25 @@ ###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md) ###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md) #####Machines -###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md) +###### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection.md) ###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) ###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +###### [Get FileMachineAction object](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +###### [Get FileMachineActions collection](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) ###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md) ###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md) ###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md) +###### [Get MachineAction object](get-machineaction-object-windows-defender-advanced-threat-protection.md) +###### [Get MachineActions collection](get-machineactions-collection-windows-defender-advanced-threat-protection.md) ###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md) -###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md) -###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md) -###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md) -###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md) +###### [Get package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection.md) +###### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection.md) +###### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection.md) +###### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +###### [Request sample](request-sample-windows-defender-advanced-threat-protection.md) +###### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection.md) +###### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection.md) +###### [Stop and quarantine file](stop-quarantine-file-windows-defender-advanced-threat-protection.md) @@ -164,7 +167,7 @@ ### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) ### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) ### [Check service health](service-status-windows-defender-advanced-threat-protection.md) -### [Configure Windows Defender ATP Settings](preferences-setup-windows-defender-advanced-threat-protection.md) +## [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) ###General #### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) @@ -172,7 +175,7 @@ #### [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) #### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) #### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md) -#### [Protect data with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) + ###Permissions #### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) @@ -192,9 +195,9 @@ #### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md) #### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md) -## [Configure Windows Defender ATP time zone settings](time-settings-windows-defender-advanced-threat-protection.md) +## [Configure Windows Defender Security Center zone settings](time-settings-windows-defender-advanced-threat-protection.md) ## [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) -## [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) +## [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) -## [Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index d74d21d178..b414111b05 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 05/08/2018 --- # Configure advanced features in Windows Defender ATP @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) @@ -71,7 +71,7 @@ When you complete the integration steps on both portals, you'll be able to see r ## Office 365 Threat Intelligence connection This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. -When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. +When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Windows Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. >[!NOTE] >You'll need to have the appropriate license to enable this feature. @@ -87,6 +87,11 @@ When you enable this feature, you'll be able to share Windows Defender ATP devic >You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature. +## Preview features +Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. + +You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. + ## Enable advanced features 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index f553f152fd..216c76d3bb 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index 77ffee9999..2ebe1dceb6 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 06/01/2018 --- # Advanced hunting reference in Windows Defender ATP @@ -23,85 +23,96 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -## Advanced hunting table reference -When you run a query using Advanced hunting, a table with columns is returned as a result. - -Use the following table to understand what the columns represent, its data type, and their description. +## Advanced hunting column reference +To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. The following table lists all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen. | Column name | Data type | Description :---|:--- |:--- -| AccountDomain | string | Domain of the account. | -| AccountName | string | User name of the account. | -| AccountSid | string | Security Identifier (SID) of the account. | -| ActionType | string | Type of activity that triggered the event. | -| AdditionalFields | string | Additional information about the event in JSON array format. | -| AlertId | string | Unique identifier for the alert. | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine. | -| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. | -| EventTime | datetime | Date and time when the event was recorded. | -| EventType | string | Table where the record is stored. | -| FileName | string | Name of the file that the recorded action was applied to. | -| FileOriginIp | string | IP address where the file was downloaded from. | -| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. | -| FileOriginUrl | string | URL where the file was downloaded from. | -| FolderPath | string | Folder containing the file that the recorded action was applied to. | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. | -| InitiatingProcessFileName | string | Name of the process that initiated the event. | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event. | -| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | -| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event. | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. | -| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. | -| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. | -| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. | -| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. | -| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. | -| LocalIP | string | IP address assigned to the local machine used during communication. | -| LocalPort | int | TCP port on the local machine used during communication. | -| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format. | -| LogonType | string | Type of logon session, specifically:

                  - **Interactive** - User physically interacts with the machine using the local keyboard and screen.

                  - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients.

                  - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed.

                  - **Batch** - Session initiated by scheduled tasks.

                  - **Service** - Session initiated by services as they start.
                  -| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. | -| MachineId | string | Unique identifier for the machine in the service. | -| MD5 | string | MD5 hash of the file that the recorded action was applied to. | -| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. | -| OSArchitecture | string | Architecture of the operating system running on the machine. | -| OSBuild | string | Build version of the operating system running on the machine. | -| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | -| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. | -| PreviousRegistryValueData | string | Original data of the registry value before it was modified. | -| PreviousRegistryValueName | string | Original name of the registry value before it was modified. | -| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. | -| ProcessCommandline | string | Command line used to create the new process. | -| ProcessCreationTime | datetime | Date and time the process was created. | -| ProcessId | int | Process ID (PID) of the newly created process. | -| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | -| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. | -| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. | -| RegistryKey | string | Registry key that the recorded action was applied to. | -| RegistryValueData | string | Data of the registry value that the recorded action was applied to. | -| RegistryValueName | string | Name of the registry value that the recorded action was applied to. | -| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. | -| RemoteIP | string | IP address that was being connected to. | -| RemotePort | int | TCP port on the remote device that was being connected to. | -| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. | -| ReportIndex | long | Event identifier that is unique among the same event type. | -| SHA1 | string | SHA-1 of the file that the recorded action was applied to. | -| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. +| AccountDomain | string | Domain of the account | +| AccountName | string | User name of the account | +| AccountSid | string | Security Identifier (SID) of the account | +| ActionType | string | Type of activity that triggered the event | +| AdditionalFields | string | Additional information about the event in JSON array format | +| AlertId | string | Unique identifier for the alert | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. | +| DefaultGateways | string | Default gateway addresses in JSON array format | +| DnsServers | string | DNS server addresses in JSON array format | +| EventTime | datetime | Date and time when the event was recorded | +| EventType | string | Table where the record is stored | +| FileName | string | Name of the file that the recorded action was applied to | +| FileOriginIp | string | IP address where the file was downloaded from | +| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file | +| FileOriginUrl | string | URL where the file was downloaded from | +| FolderPath | string | Folder containing the file that the recorded action was applied to | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | +| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | +| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local | +| Ipv4Dhcp | string | IPv4 address of DHCP server | +| Ipv6Dhcp | string | IPv6 address of DHCP server | +| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | +| LocalIP | string | IP address assigned to the local machine used during communication | +| LocalPort | int | TCP port on the local machine used during communication | +| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. | +| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | +| LogonType | string | Type of logon session, specifically:

                  - **Interactive** - User physically interacts with the machine using the local keyboard and screen

                  - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

                  - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

                  - **Batch** - Session initiated by scheduled tasks

                  - **Service** - Session initiated by services as they start
                  +| MacAddress | string | MAC address of the network adapter | +| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. | +| MachineId | string | Unique identifier for the machine in the service | +| MD5 | string | MD5 hash of the file that the recorded action was applied to | +| NetworkAdapterName | string | Name of the network adapter | +| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/en-us/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). | +| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/en-us/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). | +| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format | +| OSArchitecture | string | Architecture of the operating system running on the machine | +| OSBuild | string | Build version of the operating system running on the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| PreviousRegistryKey | string | Original registry key of the registry value before it was modified | +| PreviousRegistryValueData | string | Original data of the registry value before it was modified | +| PreviousRegistryValueName | string | Original name of the registry value before it was modified | +| PreviousRegistryValueType | string | Original data type of the registry value before it was modified | +| ProcessCommandline | string | Command line used to create the new process | +| ProcessCreationTime | datetime | Date and time the process was created | +| ProcessId | int | Process ID (PID) of the newly created process | +| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | +| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | +| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log | +| PublicIP | string | Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. | +| RegistryKey | string | Registry key that the recorded action was applied to | +| RegistryValueData | string | Data of the registry value that the recorded action was applied to | +| RegistryValueName | string | Name of the registry value that the recorded action was applied to | +| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | +| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | +| RemoteIP | string | IP address that was being connected to | +| RemotePort | int | TCP port on the remote device that was being connected to | +| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | +| SHA1 | string | SHA-1 of the file that the recorded action was applied to | +| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | +| TunnelingProtocol | string | Tunneling protocol, if the interface is used for this purpose, for example:
                  - Various IPv6 to IPv4 tunneling protocols (6to4, Teredo, ISATAP)
                  - VPN (PPTP, SSTP)
                  - SSH
                  **NOTE:** This field doesn’t provide full IP tunneling specifications. | >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) ## Related topic - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) -- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) - +- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index c5a0aa9147..538e981c02 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 06/13/2018 --- # Query data using Advanced hunting in Windows Defender ATP @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) @@ -54,6 +54,8 @@ We then add a filter on the _FileName_ to contain only instances of _powershell Afterwards, we add a filter on the _ProcessCommandLine_ Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**. +You have the option of expanding the screen view so you can focus on your hunting query and related results. + ### Use operators The query language is very powerful and has a lot of available operators, some of them are - @@ -132,7 +134,7 @@ These steps guide you on modifying and overwriting an existing query. The result set has several capabilities to provide you with effective investigation, including: -- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal. +- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Windows Defender Security Center. - You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set. ![Image of Windows Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index 3955ce8269..5d5708572e 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index 9c21431658..677b25564f 100644 --- a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Windows Defender ATP alert API fields -description: Understand how the alert API fields map to the values in the Windows Defender ATP portal. +description: Understand how the alert API fields map to the values in Windows Defender Security Center keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/16/2017 --- @@ -28,7 +28,7 @@ ms.date: 10/16/2017 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) -Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. +Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center. ## Alert API fields and portal mapping diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 5acb334a86..e948d94905 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Assign user access to the Windows Defender ATP portal +title: Assign user access to Windows Defender Security Center description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh @@ -9,11 +9,11 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- -# Assign user access to the Windows Defender ATP portal +# Assign user access to Windows Defender Security Center **Applies to:** - Windows 10 Enterprise @@ -24,7 +24,7 @@ ms.date: 04/24/2018 - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index b0954a8441..37b9d32417 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: lomayor author: lomayor -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 28/02/2018 --- @@ -23,7 +23,7 @@ ms.date: 28/02/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index 760acda319..a59d266c4b 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 05/21/2018 --- # Use Automated investigations to investigate and remediate threats @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) @@ -36,7 +36,10 @@ The Automated investigations list shows all the investigations that have been in ## Understand the Automated investigation flow ### How the Automated investigation starts -Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) an Automated investigation starts. +Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start. + +>[!NOTE] +>Currently, Automated investigation only supports Windows 10, version 1803 or later. The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view. @@ -62,15 +65,23 @@ While an investigation is running, any other alert generated from the machine wi If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. ### How threats are remediated -Depending on how you set up the machine groups and their level of automation, the Automated investigation will either automaticlly remediate threats or require user approval (this is the default). For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). +Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats. + +You can configure the following levels of automation: + +Automation level | Description +:---|:--- +Semi - require approval for any remediation | This is the default automation level.

                  An approval is needed for any remediation action. +Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

                  Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed. +Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

                  Files or executables in all other folders will automatically be remediated if needed. +Full - remediate threats automatically | All remediation actions will be performed automatically. + +For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed. When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation. -### How an Automated investigation is completed -When the Automated investigation completes its analysis, and all pending actions are resolved, an investigation is considered complete. It's important to understand that an investigation is only considered complete if there are no pending actions on it. - ## Manage Automated investigations By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. @@ -100,19 +111,15 @@ Status | Description | No threats found | No malicious entities found during the investigation. | Failed | A problem has interrupted the investigation, preventing it from completing. | | Partially remediated | A problem prevented the remediation of some malicious entities. | -| Action required | Remediation actions require review and approval. | +| Pending | Remediation actions require review and approval. | | Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | | Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. | | Running | Investigation ongoing. Malicious entities found will be remediated. | | Remediated | Malicious entities found were successfully remediated. | -| Terminated by system | Investigation was stopped due to . | -| Terminated by user | A user stopped the investigation before it could complete. | -| Not applicable | Automated investigations do not apply to this alert type. | +| Terminated by system | Investigation was stopped by the system. | +| Terminated by user | A user stopped the investigation before it could complete. | Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | -| Automated investigation not applicable to alert type | Automated investigation does not apply to this alert type. | -| Automated investigation does not support OS | Machine is running an OS that is not supported by Automated investigation. | -| Automated investigation unavailable for preexisting alert | Automated investigation does not apply to alerts that were generated before it was deployed. | -| Automated investigation unavailable for suppressed alert | Automated investigation does not apply to suppressed alerts. | + **Detection source**
                  diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md index 2f0c164f77..933ac113b2 100644 --- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Prevent a file from being executed in the organization using Windows Defender Antivirus. @@ -52,7 +52,7 @@ If successful, this method returns 200, Ok response code with empty body, which ## Example -Request +**Request** Here is an example of the request. @@ -66,7 +66,7 @@ Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index 968c448af5..428fb853da 100644 --- a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md index 9e23f63821..1d19deb5cb 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Collect investigation package from a machine. @@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -63,7 +63,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md index d55f04fddc..295192756c 100644 --- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -19,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. @@ -30,7 +30,7 @@ There are several spaces you can explore to learn about specific information: There are several ways you can access the Community Center: -- In the Windows Defender ATP portal navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page. +- In the Windows Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page. - Access the community through the [Windows Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md index 5c7c425311..432cfcfa13 100644 --- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) @@ -88,13 +88,13 @@ You need to make sure that all your devices are enrolled in Intune. You can use -There are steps you'll need to take in the Windows Defender ATP portal, the Intune portal, and Azure AD portal. +There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal. > [!NOTE] > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. Take the following steps to enable conditional access: -- Step 1: Turn on the Microsoft Intune connection from the Windows Defender ATP portal +- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center - Step 2: Turn on the Windows Defender ATP integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy @@ -102,7 +102,7 @@ Take the following steps to enable conditional access: ### Step 1: Turn on the Microsoft Intune connection -1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Microsoft Intune connection**. +1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**. 2. Toggle the Microsoft Intune setting to **On**. 3. Click **Save preferences**. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index 668943dd4d..c4633c09c3 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Configure HP ArcSight to pull Windows Defender ATP alerts -description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal. +description: Configure HP ArcSight to receive and pull alerts from Windows Defender Security Center keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/16/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index b35af2246b..24160d9cd2 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 07/16/2018 --- # Configure alert notifications in Windows Defender ATP @@ -23,32 +23,36 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] -> Only users with full access can configure email notifications. +> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. -You can set the alert severity levels that trigger notifications. When you turn enable the email notifications feature, it’s set to high and medium alerts by default. +You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). -You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). +If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule. +Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope. +Only users assigned to the Global administrator role can manage notification rules that are configured for all machine groups. The email notification includes basic information about the alert and a link to the portal where you can do further investigation. + ## Create rules for alert notifications You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients. -1. In the navigation pane, select **Settings** > **General** > **Alert notifications**. +1. In the navigation pane, select **Settings** > **Alert notifications**. 2. Click **Add notification rule**. 3. Specify the General information: - - **Rule name** - - **Machines** - Choose whether to notify recipients for all alerts on all machines or on selected machine group. If you choose to only send on a selected machine group, make sure that the machine group has been created. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). + - **Rule name** - Specify a name for the notification rule. + - **Include organization name** - Specify the customer name that appears on the email notification. + - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant. + - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md). - **Alert severity** - Choose the alert severity level 4. Click **Next**. @@ -68,7 +72,7 @@ Here's an example email notification: 2. Update the General and Recipient tab information. -3. CLick **Save notification rule**. +3. Click **Save notification rule**. ## Delete notification rule @@ -77,6 +81,7 @@ Here's an example email notification: 2. Click **Delete**. + ## Troubleshoot email notifications for alerts This section lists various issues that you may encounter when using email notifications for alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index e3b7fb8022..980252189b 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -25,7 +25,7 @@ ms.date: 04/24/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) @@ -34,9 +34,9 @@ ms.date: 04/24/2018 > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. ## Onboard machines using Group Policy -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. @@ -64,7 +64,7 @@ ms.date: 04/24/2018 > After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). ## Additional Windows Defender ATP configuration settings -For each machine, you can state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. +For each machine, you can state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. @@ -120,9 +120,9 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. + a. In the navigation pane, select **Settings** > **Offboarding**. b. Select Windows 10 as the operating system. @@ -154,7 +154,7 @@ For security reasons, the package used to Offboard machines will expire 30 days With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools. ## Monitor machines using the portal -1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). +1. Go to [Windows Defender Security Center](https://securitycenter.windows.com/). 2. Click **Machines list**. 3. Verify that machines are appearing. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index c7774a5663..83f63e9c62 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -38,75 +38,33 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). -### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher +### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher -1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Login to the [Microsoft Azure portal](https://portal.azure.com). - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. +2. Select **Device Configuration > Profiles > Create profile**. - b. Select Windows 10 as the operating system. +3. Enter a **Name** and **Description**. - c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**. - - d. Click **Download package**, and save the .zip file. +4. For **Platform**, select **Windows 10 and later**. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. +5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**. -3. Login to the [Microsoft Azure portal](https://portal.azure.com). +6. Configure the settings: + - **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service. + - **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis. + - **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently. + - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property. + +7. Select **OK**, and **Create** to save your changes, which creates the profile. -4. From the Intune blade, choose **Device configuration**. - - ![Image of device configuration menu in Microsoft Azure](images/atp-azure-intune-device-config.png) - -5. Under **Manage**, choose **Profiles** and click **Create Profile**. - - ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png) - -6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type. - - ![Image of naming a policy](images/atp-intune-custom.png) - -7. Click **Settings** > **Configure**. - - ![Image of settings](images/atp-intune-configure.png) - -8. Under Custom OMA-URI Settings, click **Add**. - - ![Image of configuration settings](images/atp-custom-oma-uri.png) - -9. Enter the following values, then click **OK**. - - ![Image of profile creation](images/atp-oma-uri-values.png) - - - **Name**: Type a name for the setting. - - **Description**: Type a description for the setting. - - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_ - - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded. - -10. Save the settings by clicking **OK**. - -11. Click **Create**. - - ![Image of the policy being created](images/atp-intune-create-policy.png) - -12. To deploy the Profile, click **Assignments**. - - ![Image of groups](images/atp-intune-assignments.png) - -13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**. - - ![Image of groups](images/atp-intune-group.png) - -14. Click **Save** to finish deploying the Configuration Profile. - - ![Image of deployment](images/atp-intune-save-deployment.png) ### Onboard and monitor machines using the classic Intune console -1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. @@ -187,9 +145,9 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. + a. In the navigation pane, select **Settings** > **Offboarding**. b. Select Windows 10 as the operating system. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 450371174d..71b333c546 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas -localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -22,9 +22,9 @@ ms.date: 04/24/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) -[!include[Prerelease information](prerelease.md)] -Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. + +Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. @@ -34,7 +34,7 @@ You'll need to take the following steps to onboard non-Windows machines: ### Turn on third-party integration -1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. Make sure the third-party solution is listed. +1. In the navigation pane, select **Settings** > **Onboarding**. Make sure the third-party solution is listed. 2. Select Mac and Linux as the operating system. @@ -59,7 +59,7 @@ To effectively offboard the machine from the service, you'll need to disable the 1. Follow the third-party documentation to opt-out on the third-party service side. -2. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. +2. In the navigation pane, select **Settings** > **Onboarding**. 3. Turn off the third-party solution integration. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index ab8da7cafa..cbc1b85dda 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -24,7 +24,7 @@ ms.date: 04/24/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - System Center 2012 Configuration Manager or later versions -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) @@ -47,9 +47,9 @@ You can use existing System Center Configuration Manager functionality to create ### Onboard machines using System Center Configuration Manager -1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. @@ -70,7 +70,7 @@ You can use existing System Center Configuration Manager functionality to create > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md). ### Configure sample collection settings -For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. +For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine. This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint. @@ -125,9 +125,9 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. + a. In the navigation pane, select **Settings** > **Offboarding**. b. Select Windows 10 as the operating system. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 4dbf933ec5..8236a40cf4 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) @@ -34,9 +34,9 @@ You can also manually onboard individual machines to Windows Defender ATP. You m > The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). ## Onboard machines -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. @@ -66,7 +66,7 @@ For information on how you can manually validate that the machine is compliant a > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ## Configure sample collection settings -For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. +For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis. You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file. @@ -92,9 +92,9 @@ For security reasons, the package used to Offboard machines will expire 30 days > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. -1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Offboarding**. + a. In the navigation pane, select **Settings** > **Offboarding**. b. Select Windows 10 as the operating system. @@ -126,7 +126,7 @@ You can follow the different verification steps in the [Troubleshoot onboarding Monitoring can also be done directly on the portal, or by using the different deployment tools. ### Monitor machines using the portal -1. Go to the Windows Defender ATP portal. +1. Go to Windows Defender Security Center. 2. Click **Machines list**. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index 3053183884..7f15b0fc5c 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -18,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** - Virtual desktop infrastructure (VDI) machines -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink) @@ -38,9 +38,9 @@ You can onboard VDI machines using a single entry or multiple entries for each m >[!WARNING] > For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender ATP sensor onboarding. -1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): +1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select Windows 10 as the operating system. @@ -78,8 +78,8 @@ You can onboard VDI machines using a single entry or multiple entries for each m d. Logon to machine with another user. - e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.
                  - **For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal. + e. **For single entry for each machine**: Check only one entry in Windows Defender Security Center.
                  + **For multiple entries for each machine**: Check multiple entries in Windows Defender Security Center. 7. Click **Machines list** on the Navigation pane. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index dab99dbf01..c0ae298a7a 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 07/12/2018 --- # Onboard Windows 10 machines @@ -23,11 +23,11 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Machines in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization. -Windows Defender ATP supports the following deployment tools and methods: +The following deployment tools and methods are supported: - Group Policy - System Center Configuration Manager diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index ac747f99f5..23f06ea316 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 10/16/2017 +ms.localizationpriority: medium +ms.date: 05/29/2018 --- @@ -85,12 +85,18 @@ For example: netsh winhttp set proxy 10.0.0.6:8080 ## Enable access to Windows Defender ATP service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443: -Service location | .Microsoft.com DNS record -:---|:--- - US |```*.blob.core.windows.net```
                  ```crl.microsoft.com```
                  ```ctldl.windowsupdate.com```
                  ```us.vortex-win.data.microsoft.com```
                  ```winatp-gw-cus.microsoft.com```
                  ```winatp-gw-eus.microsoft.com``` -Europe |```*.blob.core.windows.net```
                  ```crl.microsoft.com```
                  ```ctldl.windowsupdate.com```
                  ```eu.vortex-win.data.microsoft.com```
                  ```winatp-gw-neu.microsoft.com```
                  ```winatp-gw-weu.microsoft.com```
                  +>![NOTE] +> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. - If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. +Service location | Microsoft.com DNS record +:---|:--- +Common URLs for all locations | ```*.blob.core.windows.net```
                  ```crl.microsoft.com```
                  ```ctldl.windowsupdate.com```
                  ```events.data.microsoft.com``` +European Union | ```eu.vortex-win.data.microsoft.com```
                  ```eu-v20.events.data.microsoft.com```
                  ```winatp-gw-neu.microsoft.com```
                  ```winatp-gw-weu.microsoft.com``` +United Kingdom | ```uk.vortex-win.data.microsoft.com```
                  ```uk-v20.events.data.microsoft.com```
                  ```winatp-gw-uks.microsoft.com```
                  ```winatp-gw-ukw.microsoft.com``` +United States | ```us.vortex-win.data.microsoft.com```
                  ```us-v20.events.data.microsoft.com```
                  ```winatp-gw-cus.microsoft.com```
                  ```winatp-gw-eus.microsoft.com``` + + +If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. ## Verify client connectivity to Windows Defender ATP service URLs @@ -121,14 +127,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

                  The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP services. For example: - ```text - Testing URL : https://xxx.microsoft.com/xxx - 1 - Default proxy: Succeeded (200) - 2 - Proxy auto discovery (WPAD): Succeeded (200) - 3 - Proxy disabled: Succeeded (200) - 4 - Named proxy: Doesn't exist - 5 - Command line proxy: Doesn't exist - ``` + ```text + Testing URL : https://xxx.microsoft.com/xxx + 1 - Default proxy: Succeeded (200) + 2 - Proxy auto discovery (WPAD): Succeeded (200) + 3 - Proxy disabled: Succeeded (200) + 4 - Named proxy: Doesn't exist + 5 - Command line proxy: Doesn't exist + ``` If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method.

                  diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 62c3b16138..cf4dafd48d 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -8,8 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas -localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: high +ms.date: 08/08/2018 --- # Onboard servers to the Windows Defender ATP service @@ -18,28 +18,41 @@ ms.date: 04/24/2018 - Windows Server 2012 R2 - Windows Server 2016 +- Windows Server, version 1803 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console. -Windows Defender ATP supports the onboarding of the following servers: +The service supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 +- Windows Server, version 1803 ## Onboard Windows Server 2012 R2 and Windows Server 2016 To onboard your servers to Windows Defender ATP, you’ll need to: +- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. - Turn on server monitoring from the Windows Defender Security Center portal. - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. >[!TIP] > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). +### Configure and update System Center Endpoint Protection clients +>[!IMPORTANT] +>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. + +Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting + ### Turn on Server monitoring from the Windows Defender Security Center portal @@ -69,8 +82,8 @@ Once completed, you should see onboarded servers in the portal within an hour. - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: -| Agent Resource | Ports | -|------------------------------------|-------------| +Agent Resource | Ports +:---|:--- | *.oms.opinsights.azure.com | 443 | | *.blob.core.windows.net | 443 | | *.azure-automation.net | 443 | @@ -79,9 +92,60 @@ Once completed, you should see onboarded servers in the portal within an hour. | winatp-gw-eus.microsoft.com | 443 | | winatp-gw-neu.microsoft.com | 443 | | winatp-gw-weu.microsoft.com | 443 | +|winatp-gw-uks.microsoft.com | 443 | +|winatp-gw-ukw.microsoft.com | 443 | +| winatp-gw-aus.microsoft.com | 443| +| winatp-gw-aue.microsoft.com |443 | + +## Onboard Windows Server, version 1803 +You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. + +1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). + +2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly: + + a. Set the following registry entry: + - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` + - Name: ForceDefenderPassiveMode + - Value: 1 + + b. Run the following PowerShell command to verify that the passive mode was configured: + + ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` + + c. Confirm that a recent event containing the passive mode event is found: + + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + +3. Run the following command to check if Windows Defender AV is installed: + + ```sc query Windefend``` + + If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + + +## Integration with Azure Security Center +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + +The following capabilities are included in this integration: +- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/en-us/azure/security-center/security-center-onboarding). + + >[!NOTE] + > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + +- Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. +- Server investigation - Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach + +>[!IMPORTANT] +>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. +>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. + + ## Offboard servers -You have two options to offboard servers from the service: +You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. + +For other server versions, you have two options to offboard servers from the service: - Uninstall the MMA agent - Remove the Windows Defender ATP workspace configuration @@ -109,7 +173,7 @@ To offboard the server, you can use either of the following methods: #### Run a PowerShell command to remove the configuration 1. Get your Workspace ID: - a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + a. In the navigation pane, select **Settings** > **Onboarding**. b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID: diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index f2ab846f15..f499b17917 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/16/2017 --- @@ -57,6 +57,6 @@ Topic | Description [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. -[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. +[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center. [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API. [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index be0b750935..ed37cdaedb 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Configure Splunk to pull Windows Defender ATP alerts -description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal. +description: Configure Splunk to receive and pull alerts from Windows Defender Security Center. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/16/2017 --- @@ -139,6 +139,10 @@ Use the solution explorer to view alerts in Splunk. 5. Find the query you saved in the list and click **Run**. The results are displayed based on your query. +>[!TIP] +> To mininimize alert duplications, you can use the following query: +>```source="rest://windows atp alerts" | spath | dedup _raw | table *``` + ## Related topics - [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index e06ccda51d..43933756ec 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) @@ -135,7 +135,7 @@ Content-Type: application/json; } ``` -The following values correspond to the alert sections surfaced on the Windows Defender ATP portal: +The following values correspond to the alert sections surfaced on Windows Defender Security Center: ![Image of alert from the portal](images/atp-custom-ti-mapping.png) Highlighted section | JSON key name diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md index 2f1642def7..2e13780e25 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- # Update data retention settings for Windows Defender ATP @@ -22,13 +22,13 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink) During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update the data retention settings. -1. In the navigation pane, select **Settings** > **General** > **Data rention**. +1. In the navigation pane, select **Settings** > **Data rention**. 2. Select the data retention duration from the drop-down list. diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index e04a79d353..b4de052320 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 03/06/2018 +ms.localizationpriority: medium +ms.date: 07/05/2018 --- # Windows Defender ATP data storage and privacy @@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac ## What data does Windows Defender ATP collect? -Microsoft will collect and store information from your configured machines in a database specific to the service for administration, tracking, and reporting purposes. +Windows Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). @@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik ## Do I have the flexibility to select where to store my data? -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index 035afaf190..26e859fb08 100644 --- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index babca11760..1d1154af3b 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,13 +23,13 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) -Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal. +Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through Windows Defender Security Center. -1. In the navigation pane, select **Settings** > **APIs** > **Threat intel**. +1. In the navigation pane, select **Settings** > **Threat intel**. ![Image of threat intel API menu](images/atp-threat-intel-api.png) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md index da135efb65..bddab1a14d 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,14 +23,14 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations. >[!NOTE] >Changes might take up to a few hours to reflect on the dashboard. -1. In the navigation pane, select **Settings** > **General** > **Secure Score**. +1. In the navigation pane, select **Settings** > **Secure Score**. ![Image of Secure Score controls from Preferences setup menu](images/atp-enable-security-analytics.png) @@ -43,4 +43,4 @@ Set the baselines for calculating the score of Windows Defender security control - [Update data retention settings for Windows Defender ATP](data-retention-settings-windows-defender-advanced-threat-protection.md) - [Configure alert notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) - [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) -- [Configure advanced features in Windows Defender ATP](/advanced-features-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Configure advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 183ecc286d..44e55b2b9b 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -27,9 +27,9 @@ ms.date: 04/24/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) -Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API. +Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. -1. In the navigation pane, select **Settings** > **APIs** > **SIEM**. +1. In the navigation pane, select **Settings** > **SIEM**. ![Image of SIEM integration from Settings menu](images/atp-siem-integration.png) @@ -55,7 +55,7 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. -You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal. +You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center. diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index f4c7dd2bb3..9fe88c8887 100644 --- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 05/21/2018 --- @@ -25,7 +25,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual machines. @@ -211,6 +211,12 @@ Check that the onboarding settings and scripts were deployed properly. Try to re See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). +29 +Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 +This event occurs when the system can't read the offboarding parameters. +Ensure the machine has Internet access, then run the entire offboarding process again. + + 30 Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```. Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 5a34950b31..137a1b8070 100644 --- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 11/09/2017 --- @@ -139,7 +139,7 @@ This step will guide you in simulating an event in connection to a malicious IP ## Step 4: Explore the custom alert in the portal This step will guide you in exploring the custom alert in the portal. -1. Open the [Windows Defender ATP portal](http://securitycenter.windows.com/) on a browser. +1. Open [Windows Defender Security Center](http://securitycenter.windows.com/) on a browser. 2. Log in with your Windows Defender ATP credentials. @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it becomes effective. +> There is a latency time of approximately 20 minutes between the time a custom TI is introduced and when it becomes effective. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md index 2eb3a595ec..8864102a57 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/23/2017 --- @@ -23,7 +23,7 @@ ms.date: 10/23/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md index c654298268..94cb8338ce 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Find machine information by interal IP API -description: Use this API to create calls related to finding a machine entry around a specific timestamp by FQDN or interal IP. -keywords: apis, graph api, supported apis, find machine, machine information, IP +title: Find machine information by internal IP API +description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP. +keywords: ip, apis, graph api, supported apis, find machine, machine information search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -9,26 +9,28 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 12/08/2017 +ms.localizationpriority: medium +ms.date: 07/25/2018 --- -# Find machine information by interal IP API +# Find machine information by internal IP API **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] -Find a machine entity around a specific timestamp by FQDN or internal IP. +Find a machine entity around a specific timestamp by internal IP. + +>[!NOTE] +>The timestamp must be within the last 30 days. ## Permissions User needs read permissions. ## HTTP request ``` -GET /testwdatppreview/machines/find(timestamp={time},key={IP/FQDN}) +GET /testwdatppreview/machines/find(timestamp={time},key={IP}) ``` ## Request headers @@ -49,19 +51,20 @@ If no machine found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. ``` -GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp={time},key={IP/FQDN}) +GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') Content-type: application/json ``` -Response +**Response** Here is an example of the response. +The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp. ``` HTTP/1.1 200 OK diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index d35ec1554e..8d04e19940 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/23/2017 --- @@ -37,7 +37,7 @@ An inactive machine is not necessarily flagged due to an issue. The following ac If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal. **Machine was reinstalled or renamed**
                  -A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally. +A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally. **Machine was offboarded**
                  If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md index 52ece2cd59..11933fc1f8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -20,7 +20,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves an actor information report. @@ -50,7 +50,7 @@ If actor does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/actors/zinc Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md index bf950ccad7..7d607f80b0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves all alerts related to a given actor. @@ -49,7 +49,7 @@ If actor does not exist or no related alerts - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md index ea7ebc034a..7bd281c1c2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves an alert by its ID. @@ -49,7 +49,7 @@ If alert not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md index 4936276d33..feb7c72977 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves the actor information related to the specific alert. @@ -49,7 +49,7 @@ If alert not found or actor not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md index 8585e21488..1dc2400622 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves all domains related to a specific alert. @@ -49,7 +49,7 @@ If alert not found or domain not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md index 5c00116cbb..692038dece 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves all files related to a specific alert. @@ -49,7 +49,7 @@ If alert not found or files not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md index 1422fd9d29..13d6fa451e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves all IPs related to a specific alert. @@ -49,7 +49,7 @@ If alert not found or IPs not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md index 1a6856dd1b..c65563b583 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves all machines related to a specific alert. @@ -48,7 +48,7 @@ If alert not found or machine not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -57,7 +57,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md index 322e415d1e..0ca328f129 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves the user associated to a specific alert. @@ -49,7 +49,7 @@ If alert not found or user not found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md index f0da636e39..91370e6ab4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves top recent alerts. @@ -50,7 +50,7 @@ If no recent alerts found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md index c96b12cd50..edf69b8cc2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of alerts related to a given domain address. @@ -49,7 +49,7 @@ If domain or alert does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md index 69f702f7c9..42274f276d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of machines related to a given domain address. @@ -49,7 +49,7 @@ If domain or machines do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md index 32271f2620..a8d16cda6c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves the prevalence for the given domain. @@ -49,7 +49,7 @@ If domain does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md index b3a3eefa7b..3a8aecdcdc 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a file by identifier Sha1, Sha256, or MD5. @@ -50,7 +50,7 @@ If file does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md index fae00da926..3bc108f4c5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of alerts related to a given file hash. @@ -49,7 +49,7 @@ If file or alerts do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md index 1332ba931e..46a55266b9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of machines related to a given file hash. @@ -49,7 +49,7 @@ If file or machines do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md index a642184c9d..379a272b7f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves the prevalence for the given file. @@ -49,7 +49,7 @@ If file do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md index 21560e7198..58ec0179eb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries. @@ -51,7 +51,7 @@ If successful, this method returns 200, Ok response code with a collection of Fi ## Example -Request +**Request** Here is an example of the request on an organization that has three FileActions. @@ -59,7 +59,7 @@ Here is an example of the request on an organization that has three FileActions. GET https://graph.microsoft.com/testwdatppreview/fileactions ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md index 6d6d936711..e30ca834b1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Gets file and machine actions. @@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with the *FileMachineAc ## Example -Request +**Request** Here is an example of the request. @@ -55,7 +55,7 @@ Here is an example of the request. GET https://graph.microsoft.com/testwdatppreview/filemachineactions/3dc88ce3-dd0c-40f7-93fc-8bd14317aab6 ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md index 013b12118a..4f981ccd54 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries. @@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with a collection of Fi ## Example 1 -Request +**Request** Here is an example of the request on an organization that has three FileMachineActions. @@ -55,7 +55,7 @@ Here is an example of the request on an organization that has three FileMachineA GET https://graph.microsoft.com/testwdatppreview/filemachineactions ``` -Response +**Response** Here is an example of the response. @@ -113,7 +113,7 @@ Content-type: application/json ##Example 2 -Request +**Request** Here is an example of a request that filters the FileMachineActions by machine ID and shows the latest two FileMachineActions. @@ -121,7 +121,7 @@ Here is an example of a request that filters the FileMachineActions by machine I GET https://graph.microsoft.com/testwdatppreview/filemachineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 ``` -Response +**Response** ``` HTTP/1.1 200 Ok diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md index e390e5f56a..b1ad30ecd5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of alerts related to a given IP address. @@ -49,7 +49,7 @@ If IP and alerts do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md index 284901aa0d..1796c563b1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -42,7 +42,7 @@ If IP or machines do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -51,7 +51,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md index 77c52c4e99..f04eee146e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves the prevalence for the given IP. @@ -49,7 +49,7 @@ If domain does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md index f9cd74d2b6..cdb7691d99 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a machine entity by ID. @@ -49,7 +49,7 @@ If no machine found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md index ebcdf50543..f73f0600fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of logged on users. @@ -50,7 +50,7 @@ If no machine found or no users found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md index b5b335d796..2cbf47c5da 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of alerts related to a given machine ID. @@ -49,7 +49,7 @@ If no machine or no alerts found - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md index f680ca3c8e..21214216c0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Get actions done on a machine. @@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with the *MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -55,7 +55,7 @@ Here is an example of the request. GET https://graph.microsoft.com/testwdatppreview/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md index fd36945114..4f8250057a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries. @@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with a collection of Ma ## Example 1 -Request +**Request** Here is an example of the request on an organization that has three MachineActions. @@ -55,7 +55,7 @@ Here is an example of the request on an organization that has three MachineActio GET https://graph.microsoft.com/testwdatppreview/machineactions ``` -Response +**Response** Here is an example of the response. @@ -107,7 +107,7 @@ Content-type: application/json ## Example 2 -Request +**Request** Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions. @@ -117,7 +117,7 @@ GET https://graph.microsoft.com/testwdatppreview/machineactions?$filter=machineI -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md index c446711e57..15f5915642 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of recently seen machines. @@ -49,7 +49,7 @@ If no recent machines - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md index def484c73a..b000396208 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Get a URI that allows downloading of an investigation package. @@ -28,7 +28,7 @@ Users need to have Security administrator or Global admin directory roles. ## HTTP request ``` -POST /testwdatppreview/machineactions/{id}/getPackageUri +GET /testwdatppreview/machineactions/{id}/getPackageUri ``` ## Request headers @@ -48,7 +48,7 @@ If successful, this method returns 200, Ok response code with object that holds ## Example -Request +**Request** Here is an example of the request. @@ -57,7 +57,7 @@ GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525c ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md index 825ff7a13f..44a41412fe 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieve a User entity by key (user name or domain\user). @@ -49,7 +49,7 @@ If user does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/users/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md index 7d3c12a300..12c741d3fe 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of alerts related to a given user ID. @@ -49,7 +49,7 @@ If user does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md index 779624c483..80a2b92234 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Retrieves a collection of machines related to a given user ID. @@ -49,7 +49,7 @@ If user or machine does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png b/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png new file mode 100644 index 0000000000..51f4335265 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG index 3958d9a532..dda65b5342 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG and b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/components.png b/windows/security/threat-protection/windows-defender-atp/images/components.png index 04ab864727..0ddc52f5d3 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/components.png and b/windows/security/threat-protection/windows-defender-atp/images/components.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png new file mode 100644 index 0000000000..06ad5e6ed2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png new file mode 100644 index 0000000000..60725244e5 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index c8df547c6b..3842b1c129 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -19,7 +19,7 @@ ms.date: 04/24/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index cf096a36d3..5f1f375b3f 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- # Investigate a domain associated with a Windows Defender ATP alert @@ -22,7 +22,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index 042216f1a6..f57e046676 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- # Investigate a file associated with a Windows Defender ATP alert @@ -22,7 +22,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index cd9eaa9b7c..8a0c91b597 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- # Investigate an IP address associated with a Windows Defender ATP alert diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 7f17822158..c6beecee0e 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 08/01/2018 --- # Investigate machines in the Windows Defender ATP Machines list @@ -164,6 +164,13 @@ You can add tags on machines using the following ways: ### Add machine tags by setting a registry key value Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list. +>[!NOTE] +> Applicable only on the following machines: +>- Windows 10, version 1709 or later +>- Windows Server, version 1803 or later +>- Windows Server 2016 +>- Windows Server 2012 R2 + Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. Use the following registry key entry to add a tag on a machine: @@ -171,6 +178,9 @@ Use the following registry key entry to add a tag on a machine: - Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` - Registry key value (string): Group +>[!NOTE] +>The device tag is part of the machine information report that’s generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. + ### Add machine tags using the portal Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index fb5d06dfd4..c7a8ba2be1 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- # Investigate a user account in Windows Defender ATP diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md index a7c1630a56..3bda2052aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -42,7 +42,7 @@ If domain does not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -51,7 +51,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md index a203295bcd..0e5cdd372b 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Answers whether an IP was seen in the organization. @@ -49,7 +49,7 @@ If IP do not exist - 404 Not Found. ## Example -Request +**Request** Here is an example of the request. @@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id} Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md index 506bb47499..8a1af5560e 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Isolates a machine from accessing external network. @@ -57,7 +57,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -70,7 +70,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index 71573b1352..778f8d48b4 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: v-tanewt author: tbit0001 -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 10/16/2017 --- # Validate licensing provisioning and complete set up for Windows Defender ATP @@ -22,7 +22,7 @@ ms.date: 10/16/2017 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-validatelicense-abovefoldlink) @@ -50,9 +50,9 @@ To gain access into which licenses are provisioned to your company, and to check ![Image of O365 admin portal](images\atp-O365-admin-portal-customer.png) -## Access the Windows Defender ATP portal for the first time +## Access Windows Defender Security Center for the first time -When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created. +When accessing [Windows Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created. 1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product. @@ -64,9 +64,9 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows. ![Image of Welcome screen for portal set up](images\atp-portal-welcome-screen.png) - You will need to set up your preferences for the Windows Defender ATP portal. + You will need to set up your preferences for Windows Defender Security Center. -3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in Europe or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. +3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. > [!WARNING] > This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process. @@ -108,11 +108,11 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows. 8. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**. > [!NOTE] - > Some of these options can be changed at a later time in the Windows Defender ATP portal. + > Some of these options can be changed at a later time in Windows Defender Security Center. ![Image of final preference set up](images\atp-final-preference-setup.png) -9. A dedicated cloud instance of the Windows Defender ATP portal is being created at this time. This step will take an average of 5 minutes to complete. +9. A dedicated cloud instance of Windows Defender Security Center portal is being created at this time. This step will take an average of 5 minutes to complete. ![Image of Windows Defender ATP cloud instance](images\atp-windows-cloud-instance-creation.png) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 221bfd7884..eade1924be 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 05/08/2018 --- # Create and manage machine groups in Windows Defender ATP @@ -24,7 +24,7 @@ ms.date: 04/24/2018 - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are grouped together based on a set of attributes such as their domains, computer names, or designated tags. @@ -33,61 +33,61 @@ In Windows Defender ATP, you can create machine groups and use them to: - Configure different auto-remediation settings for different sets of machines As part of the process of creating a machine group, you'll: -- Set the automated remediation level for that group -- Define a matching rule based on the machine name, domain, tags, and OS platform to determine which machines belong to the group. If a machine is also matched to other groups, it is added only to the highest ranked machine group. -- Determine access to machine group -- Rank the machine group relative to other groups after it is created +- Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md). +- Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group. +- Select the Azure AD user group that should have access to the machine group. +- Rank the machine group relative to other groups after it is created. >[!NOTE] ->All machine groups are accessible to all users if you don’t assign any Azure AD groups to them. +>A machine group is accessible to all users if you don’t assign any Azure AD groups to it. ## Add a machine group -1. In the navigation pane, select **Settings > Permissions > Machine groups**. +1. In the navigation pane, select **Settings** > **Machine groups**. 2. Click **Add machine group**. -3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group: +3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. - - **Name** - - - **Remediation level for automated investigations** - - **No remediation** - - **Require approval (all folders)** - - **Require approval (non-temp folders)** - - **Require approval (core folders)** - - **Fully automated** + - **Machine group name** + - **Automation level** + - **Semi - require approval for any remediation** + - **Semi - require approval for non-temp folders remediation** + - **Semi - require approval for core folders remediation** + - **Full - remediate threats automatically** + + >[!NOTE] + > For more information on automation levels, see [Understand the Automated investigation flow](automated-investigations-windows-defender-advanced-threat-protection.md#understand-the-automated-investigation-flow). - **Description** + - **Members** - - **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version. + >[!TIP] + >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). - >[!TIP] - >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). - -4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab. +4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab. 5. Assign the user groups that can access the machine group you created. >[!NOTE] >You can only grant access to Azure AD user groups that have been assigned to RBAC roles. -6. Click **Close**. +6. Click **Close**. The configuration changes are applied. -7. Apply the configuration settings. -## Understand matching and manage groups -You can promote the rank of a machine group so that it is given higher priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. +## Manage machine groups +You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. + +>[!WARNING] +>Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule, it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group. By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group. Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. >[!NOTE] ->Applying changes to machine group configuration may take up to several minutes. - - +> - Applying changes to machine group configuration may take up to several minutes. ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index c304f74048..3906ca3861 100644 --- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 54bc053ce4..4860f91956 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink) @@ -57,7 +57,7 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen Added comments instantly appear on the pane. ## Suppress alerts -There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. +There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed. @@ -110,7 +110,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can ### View the list of suppression rules -1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. +1. In the navigation pane, select **Settings** > **Alert suppression**. 2. The list of suppression rules shows all the rules that users in your organization have created. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index abe6240f77..c090006878 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 06/14/2018 --- # Manage automation allowed/blocked lists @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) @@ -36,32 +36,30 @@ Entities added to the blocked list are considered malicious and will be remediat You can define the conditions for when entities are identified as malicious or safe based on certain attributes such as hash values or certificates. ## Create an allowed or blocked list -1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**. -2. Select the type of entity you'd like to create an exclusion for. You can choose any of the following entities: +2. Select the tab of the type of entity you'd like to create an exclusion for. You can choose any of the following entities: - File hash - Certificate - + - IP address + 3. Click **Add system exclusion**. -4. For each attribute specify the exclusion type, details, and the following required values: - - - **Files** - Hash value - - **Certificate** - PEM certificate file +4. For each attribute specify the exclusion type, details, and their corresponding required values. -5. Click **Update rule**. +5. Click **Add rule**. ## Edit a list -1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**. -2. Select the type of entity you'd like to edit the list from. +2. Select the tab of the entity type you'd like to edit the list from. 3. Update the details of the rule and click **Update rule**. ## Delete a list -1. In the navigation pane, select **Settings** > **Rules** > **Automation allowed/blocked list**. +1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**. -2. Select the type of entity you'd like to delete the list from. +2. Select the tab of the entity type you'd like to delete the list from. 3. Select the list type by clicking the check-box beside the list type. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index a418fca559..89eeee2c0e 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink) @@ -35,15 +35,13 @@ For example, if you add *exe* and *bat* as file or attachment extension names, t ## Add file extension names and attachment extension names. -1. In the navigation pane, select **Settings** > **Rules** > **Automation file uploads**. +1. In the navigation pane, select **Settings** > **Automation file uploads**. 2. Toggle the content analysis setting between **On** and **Off**. 3. Configure the following extension names and separate extension names with a comma: - **File extension names** - Suspicious files except email attachments will be submitted for additional inspection - - **Attachment extension names** - Suspicious email attachments with these extension names will be submitted for additional inspection - - + ## Related topics - [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md index 0388d3e0dd..bae5b989f8 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink) @@ -47,7 +47,7 @@ You can specify the file names that you want to be excluded in a specific direct ## Add an automation folder exclusion -1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**. +1. In the navigation pane, select **Settings** > **Automation folder exclusions**. 2. Click **New folder exclusion**. @@ -62,14 +62,14 @@ You can specify the file names that you want to be excluded in a specific direct 4. Click **Save**. ## Edit an automation folder exclusion -1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**. +1. In the navigation pane, select **Settings** > **Automation folder exclusions**. 2. Click **Edit** on the folder exclusion. 3. Update the details of the rule and click **Save**. ## Remove an automation folder exclusion -1. In the navigation pane, select **Settings** > **Rules** > **Automation folder exclusions**. +1. In the navigation pane, select **Settings** > **Automation folder exclusions**. 2. Click **Remove exclusion**. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index afd498bd1b..6db6e02136 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-suppressionrules-abovefoldlink) @@ -32,7 +32,7 @@ There might be scenarios where you need to suppress alerts from appearing in the You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off. ## Turn a suppression rule on or off -1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. +1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. 2. Select a rule by clicking on the check-box beside the rule name. @@ -40,7 +40,7 @@ You can view a list of all the suppression rules and manage them in one place. Y ## View details of a suppression rule -1. In the navigation pane, select **Settings** > **Rules** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. +1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed. 2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions. diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 9afdfa86cb..aee31bf368 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 07/01/2018 --- # Minimum requirements for Windows Defender ATP @@ -23,121 +23,20 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] - There are some minimum requirements for onboarding machines to the service. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink) -## Minimum requirements -You must be on Windows 10, version 1607 at a minimum. -For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy). - -### Licensing requirements +## Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: -- Windows 10 Enterprise E5 -- Windows 10 Education E5 +- Windows 10 Enterprise E5 +- Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). -### Network and data storage and configuration requirements -When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter. - -> [!NOTE] -> - You cannot change your data storage location after the first-time setup. -> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. - -### Hardware and software requirements - -The Windows Defender ATP agent only supports the following editions of Windows 10: - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - -Machines on your network must be running one of these editions. - -The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions. - -> [!NOTE] -> Machines that are running mobile versions of Windows are not supported. - -#### Internet connectivity -Internet connectivity on machines is required either directly or through proxy. - -The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. - -For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . - -Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. - - -### Diagnostic data settings -You must ensure that the diagnostic data service is enabled on all the machines in your organization. -By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them. - -**Use the command line to check the Windows 10 diagnostic data service startup type**: - -1. Open an elevated command-line prompt on the machine: - - a. Go to **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc qc diagtrack - ``` - -If the service is enabled, then the result should look like the following screenshot: - -![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) - -If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start. - - - -**Use the command line to set the Windows 10 diagnostic data service to automatically start:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Go to **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc config diagtrack start=auto - ``` - -3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: - - ```text - sc qc diagtrack - ``` - -## Windows Defender Antivirus signature updates are configured -The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. - -You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). - -When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. - -Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md). - -For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). - -## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled -If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard. - -If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1) ## Related topic - [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) +- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md index 5083d2feae..0b481a47f3 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -27,7 +27,7 @@ ms.date: 04/24/2018 - Windows Server 2016 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index e5ee209594..5f44382d18 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -9,32 +9,23 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 07/01/2018 --- # Onboard machines to the Windows Defender ATP service **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- macOS -- Linux -- Windows Server 2012 R2 -- Windows Server 2016 - Windows Defender Advanced Threat Protection (Windows Defender ATP) +You need to onboard machines to Windows Defender ATP before you can use the service. + +For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). + [!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) -You need to onboard to Windows Defender ATP before you can use the service. - -For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). - ## Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: @@ -44,6 +35,104 @@ Windows Defender Advanced Threat Protection requires one of the following Micros For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). +## Hardware and software requirements +### Supported Windows versions +- Windows 7 SP1 Enterprise +- Windows 7 SP1 Pro +- Windows 8.1 Enterprise +- Windows 8.1 Pro +- Windows 10 + - Windows 10 Enterprise + - Windows 10 Education + - Windows 10 Pro + - Windows 10 Pro Education +- Windows server + - Windows Server 2012 R2 + - Windows Server 2016 + - Windows Server, version 1803 + +Machines on your network must be running one of these editions. + +The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions. + +> [!NOTE] +> Machines that are running mobile versions of Windows are not supported. + + +### Other supported operating systems +- macOSX +- Linux + +>[!NOTE] +>You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. + + +### Network and data storage and configuration requirements +When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. + +> [!NOTE] +> - You cannot change your data storage location after the first-time setup. +> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. + + +### Diagnostic data settings +You must ensure that the diagnostic data service is enabled on all the machines in your organization. +By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them. + +**Use the command line to check the Windows 10 diagnostic data service startup type**: + +1. Open an elevated command-line prompt on the machine: + + a. Go to **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + +If the service is enabled, then the result should look like the following screenshot: + +![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) + +If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start. + + + +**Use the command line to set the Windows 10 diagnostic data service to automatically start:** + +1. Open an elevated command-line prompt on the endpoint: + + a. Go to **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc config diagtrack start=auto + ``` + +3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + + + +#### Internet connectivity +Internet connectivity on machines is required either directly or through proxy. + +The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. + +For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . + +Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. + + ## Windows Defender Antivirus configuration requirement The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. @@ -56,13 +145,19 @@ If you are onboarding servers and Windows Defender Antivirus is not the active a For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled +If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard. + +If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). + ## In this section Topic | Description :---|:--- +[Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Windows Defender ATP. [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP -[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. +[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service. [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..46f931e363 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -0,0 +1,109 @@ +--- +title: Onboard previous versions of Windows on Windows Defender ATP +description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor +keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 06/18/2018 +--- + +# Onboard previous versions of Windows + +**Applies to:** + +- Windows 7 SP1 Enterprise +- Windows 7 SP1 Pro +- Windows 8.1 Pro +- Windows 8.1 Enterprise +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink) + +Windows Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions. + +To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to: +- Configure and update System Center Endpoint Protection clients. +- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as instructed below. + +>[!TIP] +> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). + +## Configure and update System Center Endpoint Protection clients +>[!IMPORTANT] +>This step is required only if your organization uses System Center Endpoint Protection (SCEP). + +Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting + +## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP + +### Before you begin +Review the following details to verify minimum system requirements: +- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) + + >[!NOTE] + >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. + +- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + + >[!NOTE] + >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. + +- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) + +1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). + +2. Obtain the workspace ID: + - In the Windows Defender ATP navigation pane, select **Settings > Machine management > Onboarding** + - Select **Windows 7 SP1 and 8.1** as the operating system + - Copy the workspace ID and workspace key + +3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent: + - Manually install the agent using setup
                  + On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)** + - [Install the agent using command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script) + +4. If you're using a proxy to connect to the Internet see the Configure proxy settings section. + +Once completed, you should see onboarded endpoints in the portal within an hour. + +### Configure proxy and Internet connectivity settings + +- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). +- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: + +Agent Resource | Ports +:---|:--- +| *.oms.opinsights.azure.com | 443 | +| *.blob.core.windows.net | 443 | +| *.azure-automation.net | 443 | +| *.ods.opinsights.azure.com | 443 | +| winatp-gw-cus.microsoft.com | 443 | +| winatp-gw-eus.microsoft.com | 443 | +| winatp-gw-neu.microsoft.com | 443 | +| winatp-gw-weu.microsoft.com | 443 | +|winatp-gw-uks.microsoft.com | 443 | +|winatp-gw-ukw.microsoft.com | 443 | + + +## Offboard client endpoints +To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Windows Defender ATP. + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink) + + + + + + diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index d8e518f47c..bbee7b2a62 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Windows Defender Advanced Threat Protection portal overview -description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. -keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks +description: Use Windows Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. +keywords: Windows Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,18 +23,18 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. +Enterprise security teams can use Windows Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. -You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to: +You can use [Windows Defender Security Center](https://securitycenter.windows.com/) to: - View, sort, and triage alerts from your endpoints - Search for more information on observed indicators such as files and IP Addresses - Change Windows Defender ATP settings, including time zone and review licensing information. -## Windows Defender ATP portal +## Windows Defender Security Center When you open the portal, you’ll see the main areas of the application: ![Windows Defender Advanced Threat Protection portal](images/dashboard.png) diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index ecb07ccd1e..ee949dfc75 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas -localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- # Create and build Power BI reports using Windows Defender ATP data @@ -21,7 +21,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) @@ -35,12 +35,12 @@ You can easily get started by: - Creating a dashboard on the Power BI service - Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization -You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported. +You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI Desktop are supported. ## Create a Windows Defender ATP dashboard on Power BI service Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. -1. In the navigation pane, select **Settings** > **General** > **Power BI reports**. +1. In the navigation pane, select **Settings** > **Power BI reports**. 2. Click **Create dashboard**. @@ -127,7 +127,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t ### Before you begin 1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/). -2. In the navigation pane, select **Settings** > **General** > **Power BI reports**. +2. In the navigation pane, select **Settings** > **Power BI reports**. 3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it. diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index f08533a767..cc40a22908 100644 --- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + This article provides PowerShell code examples for using the custom threat intelligence API. diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index 72dd86675c..769e84dfb8 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender ATP settings +title: Configure Windows Defender Security Center settings description: Use the settings page to configure general settings, permissions, apis, and rules. keywords: settings, general settings, permissions, apis, rules search.product: eADQiWindows 10XVcnh @@ -9,10 +9,10 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- -# Configure Windows Defender ATP settings +# Configure Windows Defender Security Center settings **Applies to:** @@ -22,7 +22,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index 61315574f8..244a09bc78 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- # Turn on the preview experience in Windows Defender ATP @@ -22,13 +22,13 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) Turn on the preview experience setting to be among the first to try upcoming features. -1. In the navigation pane, select **Settings** > **Preview experience**. +1. In the navigation pane, select **Settings** > **Advanced features**. ![Image of settings and preview experience](images/atp-preview-features.png) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index af0f9887a7..8675655043 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 07/30/2018 --- # Windows Defender ATP preview features @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities. @@ -36,24 +36,24 @@ You'll have access to upcoming features which you can provide feedback on to hel Turn on the preview experience setting to be among the first to try upcoming features. -1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Preview features**. +1. In the navigation pane, select **Settings** > **Advanced features** > **Preview features**. 2. Toggle the setting between **On** and **Off** and select **Save preferences**. ## Preview features The following features are included in the preview release: +- [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
                  +Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor + - Windows 7 SP1 Enterprise + - Windows 7 SP1 Pro + - Windows 8.1 Enterprise + - Windows 8.1 Pro -- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
                  -Windows Defender ATP supports the onboarding of the following servers: - - Windows Server 2012 R2 - - Windows Server 2016 +- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)
                  +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. -- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
                  -Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph. - -- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
                  - Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 441d1895d8..aab70fb694 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Pull Windows Defender ATP alerts using REST API -description: Pull alerts from the Windows Defender ATP portal REST API. +description: Pull alerts from Windows Defender ATP REST API. keywords: alerts, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) @@ -103,7 +103,7 @@ Use optional query parameters to specify and control the amount of data returned Name | Value| Description :---|:---|:--- -DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retrieved from, based on field:
                  `LastProccesedTimeUtc`
                  The time range will be: from sinceTimeUtc time to current time.

                  **NOTE**: When not specified, all alerts generated in the last two hours are retrieved. +DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retrieved from, based on field:
                  `LastProcessedTimeUtc`
                  The time range will be: from sinceTimeUtc time to current time.

                  **NOTE**: When not specified, all alerts generated in the last two hours are retrieved. DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved.
                  The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

                  **NOTE**: When not specified, the default value will be the current time. string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

                  Value should be set according to **ISO 8601** duration format
                  E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

                  **NOTE**: When not specified, all alerts available in the time range will be retrieved. diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index 58abb6bddc..ec4e631bbb 100644 --- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + ## Before you begin You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library. diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index fdb452e1ad..6c6e1ced73 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Use role-based access control to grant fine-grained access to the Windows Defender ATP portal +title: Use role-based access control to grant fine-grained access to Windows Defender Security Center description: Create roles and groups within your security operations to grant access to the portal. keywords: rbac, role, based, access, control, groups, control, tier, aad search.product: eADQiWindows 10XVcnh @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 04/24/2018 +ms.localizationpriority: medium +ms.date: 05/08/2018 --- # Manage portal access using role-based access control @@ -24,7 +24,7 @@ ms.date: 04/24/2018 - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink) @@ -57,12 +57,12 @@ Before using RBAC, it's important that you understand the roles that can grant p > [!WARNING] > Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal. -When you first log in to the Windows Defender ATP portal, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. +When you first log in to Windows Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments > [!WARNING] -> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. +> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important. > > **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.** > @@ -76,17 +76,18 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a 2. Click **Add role**. -3. Enter the role name, description, and active permissions you’d like to assign to the role. +3. Enter the role name, description, and permissions you’d like to assign to the role. - **Role name** - **Description** - - **Active permissions** + - **Permissions** - **View data** - Users can view information in the portal. - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions. - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads. + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. 4. Click **Next** to assign the role to an Azure AD group. @@ -102,13 +103,13 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a 2. Click **Edit**. -3. Modify the details or the groups that the role is a part of. +3. Modify the details or the groups that are assigned to the role. 4. Click **Save and close**. ## Delete roles -1. Select the role row you'd like to delete. +1. Select the role you'd like to delete. 2. Click the drop-down button and select **Delete role**. diff --git a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md index 2a6bf80ab0..5e12dabe3d 100644 --- a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage. @@ -52,7 +52,7 @@ If successful, this method returns 201, Created response code and *FileMachineAc ## Example -Request +**Request** Here is an example of the request. @@ -66,7 +66,7 @@ Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index f3fa656be3..c2dc292025 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index ac9d6c02de..c43c430a57 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/12/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index f4a083f835..8858ac7366 100644 --- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 11/12/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md index d6e18c2022..b7b33d60ef 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Restrict execution of set of predefined applications. @@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -63,7 +63,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md index 28e6945c58..c6803604a8 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Initiate Windows Defender Antivirus scan on the machine. @@ -59,7 +59,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -72,7 +72,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md index f74f0543b9..87fe1b0b5c 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 11/06/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index c6c4102eb5..47815df570 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas -localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -22,7 +22,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink) @@ -297,6 +297,9 @@ For more information, see [Windows Defender Firewall with Advanced Security](htt ### BitLocker optimization For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for BitLocker is fulfilled. +>[!IMPORTANT] +>This security control is only applicable for machines with Windows 10, version 1803 or later. + #### Minimum baseline configuration setting for BitLocker - Ensure all supported internal drives are encrypted - Ensure that all suspended protection on drives resume protection @@ -323,7 +326,7 @@ For a machine to be considered "well configured", it must comply to a minimum ba Machines are considered "well configured" for Windows Defender Credential Guard if the following requirements are met: - Hardware and software prerequisites are met -- Windows Defender Credential Guard is turned on on compatible machines +- Windows Defender Credential Guard is turned on compatible machines ##### Recommended actions: diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index d3740aa25f..8e9f3634dc 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) @@ -114,7 +114,7 @@ This tile shows statistics related to automated investigations in the last 30 da ![Image of automated investigations statistics](images/atp-automated-investigations-statistics.png) -You can click on **Automated investigations**, **Remidated investigations**, and **Alerts investigated** to navigate to the **Invesgations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context. +You can click on **Automated investigations**, **Remidated investigations**, and **Alerts investigated** to navigate to the **Investigations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context. ## Users at risk The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 488f25d704..656e809d15 100644 --- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-servicestatus-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md index 44ac36d4ef..9540e46529 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Stop execution of a file on a machine and ensure it’s not executed again on that machine. @@ -52,7 +52,7 @@ If successful, this method returns 201, Created response code and _FileMachineAc ## Example -Request +**Request** Here is an example of the request. @@ -65,7 +65,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md index 9fa8d8f13a..b8bc903b76 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md index 70bff68a83..2d05ed0158 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/01/2017 --- diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md index 1b25b996dc..9b235fa9b0 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 03/06/2018 --- diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index 160df53514..dc1b0cb21e 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-threatindicator-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index 8f05637899..e9cb11bc67 100644 --- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Windows Defender Advanced Threat Protection time zone settings +title: Windows Defender Security Center time zone settings description: Use the menu to configure the time zone and view license information. -keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license +keywords: settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -9,11 +9,11 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 02/13/2018 --- -# Windows Defender Advanced Threat Protection time zone settings +# Windows Defender Security Center time zone settings **Applies to:** diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index b020424608..be766d8d46 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -9,8 +9,8 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 02/26/2018 +ms.localizationpriority: medium +ms.date: 06/25/2018 --- # Troubleshoot custom threat intelligence issues @@ -23,7 +23,7 @@ ms.date: 02/26/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + You might need to troubleshoot issues while using the custom threat intelligence feature. @@ -39,8 +39,10 @@ If your client secret expires or if you've misplaced the copy provided when you 3. Select your tenant. -4. Click **App registrations** > **All apps**. Then select the application name **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**). - +4. Click **App registrations** > **All apps**. Then select the relevant application name: + - **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**) + - **WindowsDefenderATPSiemConnector** + 5. Under **Settings**, select **Keys**, then provide a key description and specify the key validity duration. 6. Click **Save**. The key value is displayed. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index ae602776bf..eee538a7aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -1,76 +1,85 @@ ---- -title: Troubleshoot onboarding issues and error messages -description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection. -keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-tanewt -author: tbit0001 -ms.localizationpriority: high -ms.date: 11/28/2017 ---- - -# Troubleshoot subscription and portal access issues - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) - - -This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service. - -If you receive an error message, the Windows Defender ATP portal will provide a detailed explanation on what the issue is and relevant links will be supplied. - -## No subscriptions found - -If while accessing the Windows Defender ATP portal you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license. - -Potential reasons: -- The Windows E5 and Office E5 licenses are separate licenses. -- The license was purchased but not provisioned to this AAD instance. - - It could be a license provisioning issue. - - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service. - -For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or -[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). - -![Image of no subscriptions found](images\atp-no-subscriptions-found.png) - -## Your subscription has expired - -If while accessing the Windows Defender ATP portal you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. - -You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. - -> [!NOTE] -> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. - -![Image of subscription expired](images\atp-subscription-expired.png) - -## You are not authorized to access the portal - -If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. -For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). - -![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png) - -## Data currently isn't available on some sections of the portal -If the portal dashboard, and other sections show an error message such as "Data currently isn't available": - -![Image of data currently isn't available](images/atp-data-not-available.png) - -You'll need to whitelist the `security.windows.com` and all sub-domains under it. For example `*security.windows.com`. - - -## Related topics +--- +title: Troubleshoot onboarding issues and error messages +description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection. +keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-tanewt +author: tbit0001 +ms.localizationpriority: medium +ms.date: 08/01/2018 +--- + +# Troubleshoot subscription and portal access issues + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) + + +This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service. + +If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied. + +## No subscriptions found + +If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license. + +Potential reasons: +- The Windows E5 and Office E5 licenses are separate licenses. +- The license was purchased but not provisioned to this AAD instance. + - It could be a license provisioning issue. + - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service. + +For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or +[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). + +![Image of no subscriptions found](images\atp-no-subscriptions-found.png) + +## Your subscription has expired + +If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. + +You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. + +> [!NOTE] +> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +![Image of subscription expired](images\atp-subscription-expired.png) + +## You are not authorized to access the portal + +If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. +For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). + +![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png) + +## Data currently isn't available on some sections of the portal +If the portal dashboard, and other sections show an error message such as "Data currently isn't available": + +![Image of data currently isn't available](images/atp-data-not-available.png) + +You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`. + + +## Portal communication issues +If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation. + +- `*.blob.core.windows.net +crl.microsoft.com` +- `https://*.microsoftonline-p.com` - `https://*.securitycenter.windows.com` - `https://automatediracs-eus-prd.securitycenter.windows.com` - `https://login.microsoftonline.com` - `https://login.windows.net` - `https://onboardingpackagescusprd.blob.core.windows.net` +- `https://secure.aadcdn.microsoftonline-p.com` +- `https://securitycenter.windows.com` - `https://static2.sharepointonline.com` + +## Related topics - [Validate licensing provisioning and complete setup for Windows Defender ATP](licensing-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 53bbce16ae..f9e7872493 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -25,7 +25,7 @@ ms.date: 04/24/2018 - Windows Server 2012 R2 - Windows Server 2016 -[!include[Prerelease information](prerelease.md)] + You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index 4d77042ae0..9a63f9dc8b 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 02/13/2018 --- @@ -63,9 +63,10 @@ If you encounter an error when trying to get a refresh token when using the thre - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector` 5. Add the following URL: - - For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`. - - For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` - + - For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` + - For the United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback` + - For the United States: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`. + 6. Click **Save**. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index 6a9a2a8e2f..c6e68b56e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot Windows Defender Advanced Threat Protection +title: Troubleshoot Windows Defender Advanced Threat Protection service issues description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer search.product: eADQiWindows 10XVcnh @@ -9,30 +9,25 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high -ms.date: 10/23/2017 +ms.localizationpriority: medium +ms.date: 07/30/2018 --- -# Troubleshoot Windows Defender Advanced Threat Protection +# Troubleshoot service issues **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. -### Server error - Access is denied due to invalid credentials +## Server error - Access is denied due to invalid credentials If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings. Configure your browser to allow cookies. -### Elements or data missing on the portal -If some UI elements or data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it. +## Elements or data missing on the portal +If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are blocking it. Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. @@ -40,17 +35,17 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. > [!NOTE] > You must use the HTTPS protocol when adding the following endpoints. -### Windows Defender ATP service shows event or error logs in the Event Viewer +## Windows Defender ATP service shows event or error logs in the Event Viewer See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors. -### Windows Defender ATP service fails to start after a reboot and shows error 577 +## Windows Defender ATP service fails to start after a reboot and shows error 577 If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). -#### Known issues with regional formats +## Known issues with regional formats **Date and time formats**
                  There are some known issues with the time and date formats. @@ -70,6 +65,20 @@ Support of use of comma as a separator in numbers are not supported. Regions whe >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) +## Windows Defender ATP tenant was automatically created in Europe +When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. + + + + + + + + + + + + ## Related topics - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md index a007aefd5d..7ea3ec1258 100644 --- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Allow a file to be executed in the organization, using Windows Defender Antivirus. @@ -52,7 +52,7 @@ If successful, this method returns 200, Ok response code with empty body, which ## Example -Request +**Request** Here is an example of the request. @@ -64,7 +64,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md index e45662c5cd..c0ef9d02f6 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Undo isolation of a machine. @@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -63,7 +63,7 @@ Content-type: application/json } ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md index 67c98f2595..4c8788c337 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 12/08/2017 --- @@ -19,7 +19,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + Unrestrict execution of set of predefined applications. @@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction ## Example -Request +**Request** Here is an example of the request. @@ -64,7 +64,7 @@ Content-type: application/json ``` -Response +**Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index fca8e3f3ee..b8fed131a5 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 04/24/2018 --- @@ -23,7 +23,7 @@ ms.date: 04/24/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) @@ -36,7 +36,7 @@ You can use the code examples to guide you in creating calls to the custom threa Topic | Description :---|:--- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization. -[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through the Windows Defender ATP portal so that you can create custom threat intelligence (TI) using REST API. +[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through Windows Defender Security Center so that you can create custom threat intelligence (TI) using REST API. [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization. [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API. [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API. diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index bc987d35d2..07cec03da7 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Use the Windows Defender Advanced Threat Protection portal -description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks. +description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks. keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.author: macapara author: mjcaparas -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 03/12/2018 --- @@ -27,7 +27,7 @@ ms.date: 03/12/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) -You can use the Windows Defender ATP portal to carry out an end-to-end security breach investigation through the dashboards. +You can use Windows Defender Security Center to carry out an end-to-end security breach investigation through the dashboards. Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index 10373e6ddc..07eee21200 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Advanced Threat Protection -description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats. +title: Windows Defender Advanced Threat Protection +description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -10,97 +10,36 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 04/24/2018 +ms.date: 07/12/2018 --- # Windows Defender Advanced Threat Protection **Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[!include[Prerelease information](prerelease.md)] + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink) > >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). -Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. +Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787). +To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Windows Defender Security Center. -Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: - -- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors - collect and process behavioral signals from the operating system - (for example, process, registry, file, and network communications) - and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP. - - -- **Cloud security analytics**: Leveraging big-data, machine-learning, and - unique Microsoft optics across the Windows ecosystem (such as the - [Microsoft Malicious Software Removal Tool](https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx), - enterprise cloud products (such as Office 365), and online assets - (such as Bing and SmartScreen URL reputation), behavioral signals - are translated into insights, detections, and recommended responses - to advanced threats. - -- **Threat intelligence**: Generated by Microsoft hunters, security teams, - and augmented by threat intelligence provided by partners, threat - intelligence enables Windows Defender ATP to identify attacker - tools, techniques, and procedures, and generate alerts when these - are observed in collected sensor data. - - ![Windows Defender ATP service component](images/components.png) - -Machine investigation capabilities in this service let you drill down -into security alerts and understand the scope and nature of a potential -breach. You can submit files for deep analysis and receive the results -without leaving the [Windows Defender ATP portal](https://securitycenter.windows.com). The automated investigation and remediation capability reduces the volume of alerts by leveraging various inspection algorithms to resolve breaches. - -Windows Defender ATP works with existing Windows security technologies -on machines, such as Windows Defender Antivirus, AppLocker, and Windows Defender Device Guard. It -can also work side-by-side with third-party security solutions and -antimalware products. - -Windows Defender ATP leverages Microsoft technology and expertise to -detect sophisticated cyber-attacks, providing: - -- Behavior-based, cloud-powered, advanced attack detection - - Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on machines. - -- Rich timeline for forensic investigation and mitigation - - Easily investigate the scope of breach or suspected behaviours on any machine through a rich machine timeline. File, URLs, and network connection inventory across the network. Gain additional insight using deep collection and analysis (“detonation”) for any file or URLs. - -- Built in unique threat intelligence knowledge base - - Unparalleled threat optics provides actor details and intent context for every threat intel-based detection – combining first and third-party intelligence sources. - -- Automated investigation and remediation - - Significantly reduces alert volume by leveraging inspection algorithms used by analysts to examine alerts and take remediation action. +The Windows Defender ATP platform is where all the capabilities that are available across multiple products come together to give security operations teams the ability to effectively manage their organization's network. ## In this section Topic | Description :---|:--- -Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal. -[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. -[Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. -Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats. -API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from the Windows Defender ATP portal. -Reporting | Create and build Power BI reports using Windows Defender ATP data. -Check service health and sensor state | Verify that the service is running and check the sensor state on machines. -[Configure Windows Defender settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. -[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product. -[Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. -[Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md) | Understand how Windows Defender Antivirus integrates with Windows Defender ATP. +[Windows Defender Security Center](windows-defender-security-center-atp.md) | Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. +[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. +[Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard) | Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. +[Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) | Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). +[Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Windows Defender Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. + ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md new file mode 100644 index 0000000000..244a14ea0d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md @@ -0,0 +1,38 @@ +--- +title: Windows Defender Security Center +description: Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection. +keywords: windows, defender, security, center, defender, advanced, threat, protection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 07/01/2018 +--- + +# Windows Defender Security Center + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks. + +## In this section + +Topic | Description +:---|:--- +Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal. +[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. +[Understand the portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. +Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats. +API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Windows Defender Security Center. +Reporting | Create and build Power BI reports using Windows Defender ATP data. +Check service health and sensor state | Verify that the service is running and check the sensor state on machines. +[Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. +[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product. +[Troubleshoot service issues](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. + diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 889d969f79..9f78476437 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/30/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 07/30/2018 --- @@ -21,7 +21,8 @@ ms.date: 11/30/2017 **Applies to:** -- Windows 10, version 1709 (and later) +- Windows 10, version 1709 and later +- Windows Server 2016 - Microsoft Office 365 - Microsoft Office 2016 - Microsoft Office 2013 @@ -42,7 +43,7 @@ ms.date: 11/30/2017 - Configuration service providers for mobile device management -Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). @@ -63,8 +64,28 @@ When a rule is triggered, a notification will be displayed from the Action Cente You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled. +## Requirements + +Attack surface reduction requires Windows 10 Enterprise E5 and Windows Defender AV real-time protection. + +Windows 10 version | Windows Defender Antivirus +- | - +Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled + ## Attack surface reduction rules +Windows 10, version 1803 has five new Attack surface reduction rules: + +- Block executable files from running unless they meet a prevalence, age, or trusted list criteria +- Use advanced protection against ransomware +- Block credential stealing from the Windows local security authority subsystem (lsass.exe) +- Block process creations originating from PSExec and WMI commands +- Block untrusted and unsigned processes that run from USB + +In addition, the following rule is available for beta testing: + +- Block Office communication applications from creating child processes + The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: Rule name | GUID @@ -76,6 +97,13 @@ Block Office applications from injecting code into other processes | 75668C1F-73 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. @@ -101,7 +129,7 @@ This rule blocks the following file types from being run or launched from an ema ### Rule: Block Office applications from creating child processes -Office apps, such as Word or Excel, will not be allowed to create child processes. +Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. @@ -147,18 +175,55 @@ Malware can use macro code in Office files to import and load Win32 DLLs, which This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. +### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria + +This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: + +- Executable files (such as .exe, .dll, or .scr) +>[!NOTE] +>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. + +### Rule: Use advanced protection against ransomware + +This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. -## Requirements +>[!NOTE] +>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. + +### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) + +Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. -The following requirements must be met before Attack surface reduction will work: +>[!IMPORTANT] +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). + + >[!NOTE] + >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. -Windows 10 version | Windows Defender Antivirus -- | - -Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled +### Rule: Block process creations originating from PSExec and WMI commands + +This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. +>[!WARNING] +>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.] + +### Rule: Block untrusted and unsigned processes that run from USB + +With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: + +- Executable files (such as .exe, .dll, or .scr) +- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +### Rule: Block Office communication applications from creating child processes (available for beta testing) +Office communication apps will not be allowed to create child processes. This includes Outlook. + +This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. + +### Rule: Block Adobe Reader from creating child processes (available for beta testing) + +This rule blocks Adobe Reader from creating child processes. ## Review Attack surface reduction events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index f3646e3018..989c432d1b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -19,7 +19,8 @@ ms.date: 12/12/2017 **Applies to:** -- Windows 10, version 1709 +- Windows 10, version 1709 and later +- Windows Server 2016 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index f63116481c..21cec1e41c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -9,16 +9,17 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- # Collect diagnostic data for Windows Defender Exploit Guard file submissions **Applies to:** -- Windows 10, version 1709 +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 88eeed502e..852398e010 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -21,8 +21,8 @@ ms.date: 11/20/2017 **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -51,7 +51,7 @@ All apps (any executable file, including .exe, .scr, .dll files and others) are This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. -A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. @@ -61,11 +61,9 @@ As with other features of Windows Defender Exploit Guard, you can use [audit mod ## Requirements -The following requirements must be met before Controlled folder access will work: - Windows 10 version | Windows Defender Antivirus -|- -Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled +Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled ## Review Controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index b046ee873b..d3fdfd801d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -8,18 +8,18 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/09/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 07/30/2018 --- # Customize Attack surface reduction **Applies to:** -- Windows 10 Enterprise edition, version 1709 or higher - +- Windows 10 Enterprise edition, version 1709 and later +- Windows Server 2016 **Audience** @@ -35,7 +35,7 @@ ms.date: 11/09/2017 - Configuration service providers for mobile device management -Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. @@ -48,12 +48,14 @@ You can exclude files and folders from being evaluated by most Attack surface re This could potentially allow unsafe files to run and infect your devices. >[!WARNING] ->Excluding files or folders can severly reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. +>Excluding files or folders can severely reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. > >If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions. +Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). + Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe. >[!IMPORTANT] @@ -69,6 +71,14 @@ Block Office applications from creating executable content | [!include[Check mar Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c + See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. @@ -77,9 +87,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index ac6af59799..1c626d7c8f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/18/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -21,8 +21,8 @@ ms.date: 10/18/2017 **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -46,7 +46,7 @@ This topic describes how to customize the following settings of the Controlled f - [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders) >[!WARNING] ->Controlled folder access is a new technology that monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files. +>Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files. > >This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact. @@ -59,7 +59,8 @@ You can add additional folders to be protected, but you cannot remove the defaul Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. -You can also enter network shares and mapped drives, but environment variables and wildcards are not supported. +You can also enter network shares and mapped drives. Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders. @@ -67,10 +68,8 @@ You can use the Windows Defender Security Center app or Group Policy to add and 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**: - ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png) - 3. Under the **Controlled folder access** section, click **Protected folders** 4. Click **Add a protected folder** and follow the prompts to add apps. @@ -82,16 +81,14 @@ You can use the Windows Defender Security Center app or Group Policy to add and 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. 6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder. -> [!IMPORTANT] -> Environment variables and wildcards are not supported. +> [!NOTE] +> Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). ### Use PowerShell to protect additional folders @@ -136,10 +133,8 @@ When you add an app, you have to specify the app's location. Only the app in tha 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**. - ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png) - 3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access** 4. Click **Add an allowed app** and follow the prompts to add apps. @@ -150,9 +145,7 @@ When you add an app, you have to specify the app's location. Only the app in tha 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 2da04a15b8..d26e9872e6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -8,18 +8,18 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- # Customize Exploit protection **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -127,10 +127,8 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label: - - ![App & browser control screen in the Windows Defender Security Center](images/wdsc-exp-prot.png) - +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. + 3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section @@ -154,11 +152,8 @@ Exporting the configuration as an XML file allows you to copy the configuration 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen: +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings** at the bottom of the screen. - ![Screenshot showing the Exploit protection label highlighted in the Windows Defender Security Center App & browser settings section](images/wdsc-exp-prot.png) - - 3. Go to the **Program settings** section and choose the app you want to apply mitigations to: 1. If the app you want to configure is already listed, click it and then click **Edit** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index 6c15c1d3d2..bb57a23872 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- @@ -21,7 +21,7 @@ ms.date: 12/12/2017 **Applies to:** -- Windows 10, version 1709 +- Windows 10, version 1709 and later - Enhanced Mitigation Experience Toolkit version 5.5 (latest version) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index aafca3a295..59f434e325 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/09/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 07/30/2018 --- @@ -20,8 +20,8 @@ ms.date: 11/09/2017 **Applies to:** -- Windows 10 Enterprise edition, version 1709 or higher - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -36,7 +36,7 @@ ms.date: 11/09/2017 - Configuration service providers for mobile device management -Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. @@ -59,6 +59,13 @@ Block Office applications from injecting code into other processes | 75668C1F-73 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. @@ -67,9 +74,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 9cf38c9042..67697f589e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium +ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/17/2018 +ms.date: 05/30/2018 --- @@ -22,7 +22,7 @@ ms.date: 04/17/2018 **Applies to:** - Windows 10, version 1709 and later - +- Windows Server 2016 **Audience** @@ -64,21 +64,16 @@ For further details on how audit mode works, and when you might want to use it, 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**. - ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png) - -3. Set the switch for the feature to **On** +3. Set the switch for **Controlled folder access** to **On**. - ![Screenshot of the CFA feature switched to On](images/cfa-on.png) ### Use Group Policy to enable Controlled folder access 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 1f24f048fe..584b3b2e8a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -21,8 +21,8 @@ ms.date: 12/12/2017 **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index c7bf57924e..2d33ef5980 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/16/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -20,8 +20,8 @@ ms.date: 10/16/2017 **Applies to:** -- Windows 10 Enterprise edition, version 1709 or higher - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -36,7 +36,7 @@ ms.date: 10/16/2017 - Configuration service providers for mobile device management -Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). @@ -53,9 +53,7 @@ For background information on how audit mode works, and when you might want to u 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 354c6831e1..8f8c0175e4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -3,7 +3,7 @@ title: Enable virtualization-based protection of code integrity description: This article explains the steps to opt in to using HVCI on Windows devices. ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: justinha author: brianlic-msft ms.date: 04/19/2018 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index a5bc5791c2..3785af890d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -19,8 +19,8 @@ ms.date: 11/20/2017 **Applies to:** -- Windows 10 Enterprise edition, version 1709 or higher - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -37,7 +37,7 @@ ms.date: 11/20/2017 -Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). +Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 9768e44f92..56695c3814 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -19,8 +19,8 @@ ms.date: 11/20/2017 **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -100,6 +100,8 @@ Event ID | Description 5007 | Event when settings are changed 1124 | Audited Controlled folder access event 1123 | Blocked Controlled folder access event +1127 | Blocked Controlled folder access sector write block event +1128 | Audited Controlled folder access sector write block event ## Use audit mode to measure impact diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index b2ee7653e1..499c186d35 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -20,8 +20,8 @@ ms.date: 11/20/2017 **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 74ed3c6f01..1f004b79b7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- # Evaluate Network protection @@ -20,8 +20,8 @@ ms.date: 11/20/2017 **Applies to:** -- Windows 10 Enterprise edition, version 1709 or higher - +- Windows 10 Enterprise edition, version 1709 or later +- Windows Server 2016 **Audience** @@ -36,7 +36,7 @@ ms.date: 11/20/2017 -Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index 3fc73670a4..958158f7f6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -21,8 +21,8 @@ ms.date: 11/20/2017 **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 687dea2866..f070b8407e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -8,11 +8,11 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.date: 12/12/2017 -localizationpriority: medium -author: iaanw -ms.author: iawilt - +ms.date: 04/16/2018 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -21,8 +21,8 @@ ms.author: iawilt **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -190,6 +190,8 @@ Network protection | Windows Defender (Operational) | 1126 | Event when Network Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event +Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Controlled folder access sector write block event +Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index a260bf90d4..64d6627554 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -21,8 +21,8 @@ ms.date: 12/12/2017 **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -63,11 +63,9 @@ Exploit protection works best with [Windows Defender Advanced Threat Protection] ## Requirements -The following requirements must be met before Exploit protection will work: - Windows 10 version | Windows Defender Advanced Threat Protection -|- -Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md) +Windows 10 version 1709 or later | For full reporting, you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md) ## Review Exploit protection events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png index d8f0ccffab..f8d3056d80 100644 Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png and b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 1809487c8d..77b9114470 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/30/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- @@ -21,7 +21,7 @@ ms.date: 11/30/2017 **Applies to:** -- Windows 10, version 1709 +- Windows 10, version 1709 and later @@ -164,9 +164,7 @@ You can use Group Policy to deploy the configuration you've created to multiple 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index 06270361cd..7ac4ae1438 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium +ms.localizationpriority: medium author: iaanw ms.author: iawilt ms.date: 02/20/2018 diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 16b940a5e4..df6a6b9037 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 11/20/2017 +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 05/30/2018 --- @@ -20,8 +20,8 @@ ms.date: 11/20/2017 **Applies to:** -- Windows 10 Enterprise edition, version 1709 or higher - +- Windows 10, version 1709 or higher +- Windows Server 2016 **Audience** @@ -36,7 +36,7 @@ ms.date: 11/20/2017 - Configuration service providers for mobile device management -Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Supported in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). @@ -56,11 +56,11 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua ## Requirements -The following requirements must be met before Network protection will work: +Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection. Windows 10 version | Windows Defender Antivirus - | - -Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled ## Review Network protection events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 61166e5854..71dea75d8e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -4,7 +4,7 @@ description: To help you plan a deployment of Microsoft Windows Defender Device keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium author: brianlic-msft ms.date: 10/20/2017 --- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 32d8680ec1..412c817281 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -9,16 +9,17 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/17/2018 --- # Troubleshoot Attack surface reduction rules **Applies to:** -- Windows 10 Enterprise edition, version 1709 or higher +- Windows 10, version 1709 or higher +- Windows Server 2016 **Audience** @@ -45,7 +46,7 @@ There are four steps to troubleshooting these problems: Attack surface reduction (ASR) will only work on devices with the following conditions: >[!div class="checklist"] -> - Endpoints are running Windows 10 Enterprise edition, version 1709 (also known as the Fall Creators Update). +> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update). > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index eb71a22518..8410be06b9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium +ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 01/31/18 +ms.date: 05/30/2018 --- @@ -21,8 +21,8 @@ ms.date: 01/31/18 **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 2cbe2f1f1e..2b7764fdb5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -9,16 +9,16 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 12/12/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 05/17/2018 --- # Troubleshoot Network protection **Applies to:** -- Windows 10 Enterprise edition, version 1709 or higher +- Windows 10, version 1709 or higher **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index eac14b3d74..90ebc28935 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -8,10 +8,10 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -localizationpriority: medium +ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 12/12/2017 +ms.date: 08/08/2018 --- @@ -21,8 +21,8 @@ ms.date: 12/12/2017 **Applies to:** -- Windows 10, version 1709 - +- Windows 10, version 1709 and later +- Windows Server 2016 **Audience** @@ -38,6 +38,10 @@ There are four features in Windows Defender EG: - [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. - [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. +Windows 10, version 1803 provides additional protections: + +- New Attack surface reduction rules +- Controlled folder access can now block disk sectors You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action: - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) @@ -49,39 +53,39 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes: -- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md) +- [Windows Defender Security Center](../windows-defender-atp/windows-defender-security-center-atp.md) - [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -- [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) -- Windows Defender Device Guard +- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md) - [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. ## Requirements -Each of the features in Windows Defender EG have slightly different requirements: +This section covers requirements for each feature in Windows Defender EG. + +| Symbol | Support | +|--------|---------| +| ![not supported](./images/ball_empty.png) | Not supported | +| ![supported](./images/ball_50.png) | Supported | +| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an Attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| + | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | -| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_75.png) | ![supported, full reporting](./images/ball_full.png) | +| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) | | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -> [!NOTE] -> ![supported, enhanced](./images/ball_75.png) Exploit Protection - On Windows 10 E3, includes advanced exploit protection for the kernel mode via [HVCI] (https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
                  -> ![supported, full reporting](./images/ball_full.png) On Windows 10 E5, includes automated reporting into the Windows Defender ATP console. +The following table lists which features in Windows Defender EG require enabling [real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) from Windows Defender Antivirus. - -| Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +| Feature | Real-time protection | |-----------------| ------------------------------------ | | Exploit protection | No requirement | -| Attack surface reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | -| Network protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | -| Controlled folder access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | - -> [!NOTE] -> Each feature's requirements are further described in the individual topics in this library. +| Attack surface reduction | Must be enabled | +| Network protection | Must be enabled | +| Controlled folder access | Must be enabled | ## In this library diff --git a/windows/security/threat-protection/windows-defender-security-center/TOC.md b/windows/security/threat-protection/windows-defender-security-center/TOC.md index 1bb541cc85..92d6f70f01 100644 --- a/windows/security/threat-protection/windows-defender-security-center/TOC.md +++ b/windows/security/threat-protection/windows-defender-security-center/TOC.md @@ -3,9 +3,13 @@ ## [Customize the Windows Defender Security Center app for your organization](wdsc-customize-contact-information.md) ## [Hide Windows Defender Security Center app notifications](wdsc-hide-notifications.md) +## [Manage Windows Defender Security Center in Windows 10 in S mode](wdsc-windows-10-in-s-mode.md) ## [Virus and threat protection](wdsc-virus-threat-protection.md) -## [Device performance and health](wdsc-device-performance-health.md) +## [Account protection](wdsc-account-protection.md) ## [Firewall and network protection](wdsc-firewall-network-protection.md) ## [App and browser control](wdsc-app-browser-control.md) +## [Device security](wdsc-device-security.md) +## [Device performance and health](wdsc-device-performance-health.md) ## [Family options](wdsc-family-options.md) + diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png index ea5b039dd9..bf7a3e3910 100644 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png and b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png index 601b2a32b8..13d6f59afc 100644 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png and b/windows/security/threat-protection/windows-defender-security-center/images/security-center-home.png differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png index a35daeb1f4..0d1acbe82c 100644 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png and b/windows/security/threat-protection/windows-defender-security-center/images/security-center-taskbar.png differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png new file mode 100644 index 0000000000..abf5a30659 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG b/windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG new file mode 100644 index 0000000000..ab123cc49b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-security-center/images/settings-windows-defender-security-center-areas.PNG differ diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md new file mode 100644 index 0000000000..4dad649653 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -0,0 +1,58 @@ +--- +title: Account protection in the Windows Defender Security Center app +description: Use the Account protection section to manage security for your account and sign in to Microsoft. +keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 +--- + + +# Account protection + +**Applies to** + +- Windows 10, version 1803 and later + + +The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following: + +- [Microsoft Account](https://account.microsoft.com/account/faq) +- [Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification) +- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/en-us/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from) + +You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. + + +## Hide the Account protection section + +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app. + +This can only be done in Group Policy. + +>[!IMPORTANT] +>### Requirements +> +>You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Security Center > Account protection**. + +6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**. + +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). + +>[!NOTE] +>If you hide all sections then the app will show a restricted interface, as in the following screenshot: +> +>![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 4bc78122e2..aa52a93e41 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/16/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- @@ -24,7 +24,7 @@ ms.date: 10/16/2017 The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). -In Windows 10, version 1709, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) topic in the Windows Defender Exploit Guard library. +In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) topic in the Windows Defender Exploit Guard library. You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. @@ -38,13 +38,11 @@ You can only prevent users from modifying Exploit protection settings by using G >[!IMPORTANT] >### Requirements > ->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Security Center > App and browser protection**. @@ -65,9 +63,7 @@ This can only be done in Group Policy. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Security Center > App and browser protection**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 5bd67138c3..b528a224eb 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -9,16 +9,16 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/16/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Customize the Windows Defender Security Center app for your organization **Applies to** -- Windows 10, version 1709 +- Windows 10, version 1709 and later **Audience** @@ -44,7 +44,7 @@ Users can click on the displayed information to initiate a support request: ## Requirements -You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. ## Use Group Policy to enable and customize contact information @@ -54,9 +54,7 @@ This can only be done in Group Policy. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Security Center > Enterprise Customization**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 088e882a0f..67d58174c1 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/16/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- @@ -27,7 +27,7 @@ The **Device performance & health** section contains information about hardware, The [Windows 10 IT pro troubleshooting topic](https://docs.microsoft.com/en-us/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](https://docs.microsoft.com/en-us/windows/windows-10/) can also be helpful for resolving issues. -In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. ## Hide the Device performance & health section @@ -39,13 +39,11 @@ This can only be done in Group Policy. >[!IMPORTANT] >### Requirements > ->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Security Center > Device performance and health**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md new file mode 100644 index 0000000000..64af9bb9d8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -0,0 +1,54 @@ +--- +title: Device security in the Windows Defender Security Center app +description: Use the Device security section to manage security built into your device, including virtualization-based security. +keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 +--- + + +# Device security + +**Applies to** + +- Windows 10, version 1803 and later + + +The **Device security** section contains information and settings for built-in device security. + +You can choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. + + +## Hide the Device security section + +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app. + +This can only be done in Group Policy. + +>[!IMPORTANT] +>### Requirements +> +>You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Security Center > Device security**. + +6. Open the **Hide the Device security area** setting and set it to **Enabled**. Click **OK**. + +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). + +>[!NOTE] +>If you hide all sections then the app will show a restricted interface, as in the following screenshot: +> +>![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index 14ba41602f..47bf08fc3f 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/16/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- @@ -38,13 +38,11 @@ This can only be done in Group Policy. >[!IMPORTANT] >### Requirements > ->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Security Center > Family options**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 66e975a809..4986db4e3e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/16/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- @@ -24,7 +24,7 @@ ms.date: 10/16/2017 The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). -In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. ## Hide the Firewall & network protection section @@ -36,13 +36,11 @@ This can only be done in Group Policy. >[!IMPORTANT] >### Requirements > ->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Security Center > Firewall and network protection**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 007e09586d..551ce1779b 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -9,16 +9,16 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/16/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- # Hide Windows Defender Security Center app notifications **Applies to** -- Windows 10, version 1709 +- Windows 10, version 1709 and later **Audience** @@ -52,13 +52,11 @@ This can only be done in Group Policy. >[!IMPORTANT] >### Requirements > ->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Security Center > Notifications**. @@ -76,13 +74,11 @@ This can only be done in Group Policy. >[!IMPORTANT] >### Requirements > ->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Security Center > Notifications**. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 1346ef4193..5d7d2ce96b 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/16/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 --- @@ -22,14 +22,20 @@ ms.date: 10/16/2017 - Windows 10, version 1703 and later -The **Virus & threat protection** section contains information and settings for antivirus protection from Windows Defender Antivirus and third-party AV products. IT administrators and IT pros can get more information and documentation about configuration from the following: +The **Virus & threat protection** section contains information and settings for antivirus protection from Windows Defender Antivirus and third-party AV products. + +In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in the event of a ransomware attack. + +IT administrators and IT pros can get more information and documentation about configuration from the following: - [Windows Defender Antivirus in the Windows Defender Security Center app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md) - [Windows Defender Antivirus documentation library](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +- [Protect important folders with Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) +- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/) +- [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a) +- [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) -In Windows 10, version 1709, the section also provides configuration options for Controlled folder access. IT administrators can get more information at the [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) topic in the Windows Defender Exploit Guard library. - -You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +You can choose to hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. ## Hide the Virus & threat protection section @@ -41,13 +47,11 @@ This can only be done in Group Policy. >[!IMPORTANT] >### Requirements > ->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 5. Expand the tree to **Windows components > Windows Defender Security Center > Virus and threat protection**. @@ -58,4 +62,25 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) + +## Hide the Ransomware protection area + +You can choose to hide the **Ransomware protection** area by using Group Policy. The area will not appear on the **Virus & threat protection** section of the Windows Defender Security Center app. + +This can only be done in Group Policy. + +>[!IMPORTANT] +>### Requirements +> +>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Security Center > Virus and threat protection**. + +6. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**. + +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md new file mode 100644 index 0000000000..a4423252ca --- /dev/null +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -0,0 +1,44 @@ +--- +title: Manage Windows Defender Security Center in Windows 10 in S mode +description: Windows Defender Security Center settings are different in Windows 10 in S mode +keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 04/30/2018 +--- + +# Manage Windows Defender Security Center in Windows 10 in S mode + +**Applies to** + +- Windows 10 in S mode, version 1803 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Microsoft Intune + +Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software. + +The Windows Defender Security Center interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. + +![Screen shot of the Windows Defender Security Center app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) + +For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode). + +##Managing Windows Defender Security Center settings with Intune + +In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts. + +For information about using Intune to manage Windows Defender Security Center settings on your organization's devices, see [Set up Intune](https://docs.microsoft.com/en-us/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10). + diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 75d70268f2..c98c737aad 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/11/2018 +ms.date: 04/30/2018 --- @@ -27,7 +27,9 @@ ms.date: 04/11/2018 -In Windows 10, version 1703 we introduced the new Windows Defender Security Center app, which brings together common Windows security features into one app. Many settings that were previously part of the individual features and main Windows Settings have been combined and moved to the new app, which is installed out-of-the-box as part of Windows 10, version 1703. +In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps. + +In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**. ![Screen shot of the Windows Defender Security Center app showing that the device is protected and five icons for each of the features](images/security-center-home.png) @@ -54,11 +56,13 @@ You can't uninstall the Windows Defender Security Center app, but you can do one You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics: -- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus settings and the Controlled folder access feature of Windows Defender Exploit Guard -- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues -- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall -- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations -- [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online +- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to Microsoft OneDrive. +- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings. +- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall. +- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations. +- [Device security](wdsc-device-security.md), which provides access to built-in device security settings. +- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues. +- [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online. >[!NOTE] @@ -71,12 +75,15 @@ You can find more information about each section, including options for configur ## Open the Windows Defender Security Center app -- Right-click the icon in the notification area on the taskbar and click **Open**. +- Click the icon in the notification area on the taskbar. ![Screen shot of the icon for the Windows Defender Security Center app on the Windows task bar](images/security-center-taskbar.png) - Search the Start menu for **Windows Defender Security Center**. ![Screen shot of the Start menu showing the results of a search for the Windows Defender Security Center app, the first option with a large shield symbol is selected](images/security-center-start-menu.png) +- Open an area from Windows **Settings**. + + ![Screen shot of Windows Settings showing the different areas available in the Windows Defender Security Center](images/settings-windows-defender-security-center-areas.png) > [!NOTE] diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 9bffa0146b..ef1582c6fa 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: jasongerend -ms.localizationpriority: high +ms.localizationpriority: medium ms.date: 1/26/2018 --- # Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index e5b587a7fe..bc843023a7 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.localizationpriority: high +author: justinha +ms.localizationpriority: medium ms.date: 07/27/2017 --- diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index 508f23802e..11e79cb879 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft -ms.localizationpriority: high +author: justinha +ms.localizationpriority: medium ms.date: 10/13/2017 --- @@ -28,8 +28,6 @@ Starting with Windows 10, version 1703 your employees can use Windows Defender S **To use Windows Defender Security Center to set up Windows Defender SmartScreen on a device** 1. Open the Windows Defender Security Center app, and then click **App & browser control**. - ![Windows Defender Security Center](images/windows-defender-security-center.png) - 2. In the **App & browser control** screen, choose from the following options: - In the **Check apps and files** area: diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index 5f0da685dd..acd9ab7b9e 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -1,16 +1,16 @@ --- -title: Windows Security Baselines -description: This article, and the articles it links to, describe how to use Windows Security Baselines in your organization +title: Windows security baselines +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: sagaudre author: brianlic-msft -ms.date: 10/31/2017 +ms.date: 06/25/2018 --- -# Windows Security Baselines +# Windows security baselines **Applies to** diff --git a/windows/security/wdatp/images/WDATP-components.png b/windows/security/wdatp/images/WDATP-components.png new file mode 100644 index 0000000000..51f4335265 Binary files /dev/null and b/windows/security/wdatp/images/WDATP-components.png differ diff --git a/windows/security/wdatp/images/wdatp-pillars.png b/windows/security/wdatp/images/wdatp-pillars.png new file mode 100644 index 0000000000..06ad5e6ed2 Binary files /dev/null and b/windows/security/wdatp/images/wdatp-pillars.png differ diff --git a/windows/security/wdatp/images/wdatp-pillars2.png b/windows/security/wdatp/images/wdatp-pillars2.png new file mode 100644 index 0000000000..bbe88f3638 Binary files /dev/null and b/windows/security/wdatp/images/wdatp-pillars2.png differ diff --git a/windows/security/wdatp/index.md b/windows/security/wdatp/index.md new file mode 100644 index 0000000000..cb401fa3e4 --- /dev/null +++ b/windows/security/wdatp/index.md @@ -0,0 +1,48 @@ +--- +title: Windows Defender Advanced Threat Protection +description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats. +keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.date: 06/04/2018 +--- + +# Windows Defender Advanced Threat Protection + +Windows Defender Advanced Threat Protection (Windows Defender ATP)is a unified platform for preventative protection, post-breach detection, automated investigation and response, employing intelligent protection to protect endpoints from cyber threats. + + +![Windows Defender ATP components](images/wdatp-pillars2.png) + +**Attack surface reduction**
                  +The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. + +**Next generation protection**
                  +To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. + +**Endpoint detection and response**
                  +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. + +**Auto investigation and remediation**
                  +In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. + +**Security posture**
                  +Windows Defender ATP also provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network. + +**Management and APIs**
                  +Windows Defender ATP provides integrated configuration management in the cloud. The service also supports third-party mobile device management (MDM) tools, cross-platform support, and APIs that allow customers to create custom threat intelligence and automate workflows. + +Understand how capabilities align within the Windows Defender ATP suite offering: + + + Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation and remediation | Security posture +:---|:---|:---|:---|:--- + [Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/)

                  [Application control](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)

                  [Exploit protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)

                  [Network protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

                  [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) | [Machine learning](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)

                  [Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)

                  [Threat intelligence](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)

                  [Sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis) | [Response containment](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

                  [Realtime and historical threat hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)

                  [Threat intelligence and custom detections](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) | [Forensic collection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)

                  [Response orchestration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

                  [Historical endpoint data](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)

                  [Artificial intelligence response playbooks](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | [Asset inventory](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
                  [Operating system baseline compliance](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

                  [Recommended improvement actions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection#improvement-opportunities)

                  [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

                  [Threat analytics](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)

                  [Reporting and trends](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection) + +These capabilities are available across multiple products that make up the Windows Defender ATP platform. For more information on how to leverage all the Windows Defender ATP capabilities, see [Threat protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/index). + + diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index 11ef584f2a..22e6c40651 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,5 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) ## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) ## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 63f5964ba8..e37e313557 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -5,7 +5,7 @@ ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic", "Creators Update", "Fall Creators Update"] ms.prod: w10 author: TrudyHa -ms.date: 10/16/2017 +ms.date: 04/30/2018 ms.localizationpriority: high --- @@ -16,6 +16,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) - [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) - [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) - [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index d9d240abee..78339d5cb2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -207,7 +207,7 @@ The following sections describe the new and changed functionality in the TPM for ### Device health attestation -Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. +Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. Some things that you can check on the device are: - Is Data Execution Prevention supported and enabled? - Is BitLocker Drive Encryption supported and enabled? diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index fba100bb3c..a58a02c87b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -26,19 +26,19 @@ A brief description of new or updated features in this version of Windows 10 is ## Deployment -### Windows AutoPilot +### Windows Autopilot -Windows AutoPilot is a zero touch experience for deploying Windows 10 devices. Configuration profiles can now be applied at the hardware vendor with devices being shipped directly to employees. For more information, see [Overview of Windows AutoPilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot). +Windows Autopilot is a zero touch experience for deploying Windows 10 devices. Configuration profiles can now be applied at the hardware vendor with devices being shipped directly to employees. For more information, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot). -You can also apply an AutoPilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows AutoPilot Deployment](https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices). +You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices). ### Windows 10 Subscription Activation Windows 10 Subscription Activation lets you deploy Windows 10 Enterprise in your organization with no keys and no reboots using a list of subscribed users. When a subscribed user signs in on their Windows 10 Pro device, features that are Enterprise-only are automatically enabled. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation). -### Windows Automatic Redeployment +### Autopilot Reset -IT Pros can use Windows Automatic Redeployment to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Windows Automatic Redeployment](https://docs.microsoft.com/education/windows/windows-automatic-redeployment). +IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). ## Update @@ -115,7 +115,7 @@ The minimum PIN length is being changed from 6 to 4, with a default of 6. For mo Microsoft has released new [Windows security baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/en-us/windows/device-security/security-compliance-toolkit-10). ### SMBLoris vulnerability -An issue, known as “SMBLoris”, which could result in denial of service, has been addressed. +An issue, known as “SMBLoris?, which could result in denial of service, has been addressed. ## Windows Analytics diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md new file mode 100644 index 0000000000..7db90dbaca --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -0,0 +1,236 @@ +--- +title: What's new in Windows 10, version 1803 +description: New and updated IT Pro content about new features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). +keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.date: 07/07/2018 +ms.localizationpriority: high +--- + +# What's new in Windows 10, version 1803 IT Pro content + +**Applies to** +- Windows 10, version 1803 + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1803, also known as the Windows 10 April 2018 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1709. + +>If you are not an IT Pro, see the following topics for information about what's new in Windows 10, version 1803 in [hardware](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows), for [developers](https://docs.microsoft.com/windows/uwp/whats-new/windows-10-build-17134), and for [consumers](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update). + +The following 3-minute video summarizes some of the new features that are available for IT Pros in this release. + +  + +> [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false] + + +## Deployment + +### Windows Autopilot + +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10. + +Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. + +Windows Autopilot is now available with Surface, Lenovo, and Dell. Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months. Check back here later for more information. + +### Windows 10 in S mode + +Windows 10 in S mode is now available on both Windows 10 Home and Pro PCs, and commercial customers will be able to deploy Windows 10 Enterprise in S mode - by starting with Windows 10 Pro in S mode and then activating Windows 10 Enterprise on the computer. + +Some additional information about Windows 10 in S mode: + +- Microsoft-verified. All of your applications are verified by Microsoft for security and performance. +- Performance that lasts. Start-ups are quick, and S mode is built to keep them that way. +- Choice and flexibility. Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps. +- S mode, on a range of modern devices. Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices. + +If you want to switch out of S mode, you will be able to do so at no charge, regardless of edition. Once you switch out of S mode, you cannot switch back. + +For more information, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode). + +### Windows 10 kiosk and Kiosk Browser + +With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below. + +- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons. +- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies +- Support for multiple screens for digital signage use cases. +- The ability to ensure all MDM configurations are enforced on the device prior to entering assigned access using the Enrollment Status page. +- The ability to configure and run Shell Launcher in addition to existing UWP Store apps. +- A simplified process for creating and configuring an auto-logon kiosk account so that a public kiosk automatically enters a desired state after a reboot, a critical security requirement for public-facing use cases. +- For multi-user Firstline Worker kiosk devices, instead of specifying every user, it’s now possible to assign different assigned access configurations to Azure AD groups or Active Directory groups. +- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues. + +For more information, see: +- [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/) +- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691) + +### Windows 10 Subscription Activation + +With this release, Subscription Activation supports Inherited Activation. Inherited Activation allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. + +For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation#inherited-activation). + +### DISM + +The following new DISM commands have been added to manage feature updates: + + DISM /Online /Initiate-OSUninstall + – Initiates a OS uninstall to take the computer back to the previous installation of windows. + DISM /Online /Remove-OSUninstall + – Removes the OS uninstall capability from the computer. + DISM /Online /Get-OSUninstallWindow + – Displays the number of days after upgrade during which uninstall can be performed. + DISM /Online /Set-OSUninstallWindow + – Sets the number of days after upgrade during which uninstall can be performed. + +For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). + +### Windows Setup + +You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. + +Prerequisites: +- Windows 10, version 1803 or later. +- Windows 10 Enterprise or Pro + +For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). + +It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. + + /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) + +New command-line switches are also available to control BitLocker: + + Setup.exe /BitLocker AlwaysSuspend + – Always suspend bitlocker during upgrade. + Setup.exe /BitLocker TryKeepActive + – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. + Setup.exe /BitLocker ForceKeepActive + – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) + +### SetupDiag + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. + +SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +### Windows Update for Business (WUfB) + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +### Feature update improvements + +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). + +## Configuration + +### Co-management + +Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. + +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) + +### OS uninstall period + +The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. + +### Windows Hello for Business + +[Windows Hello](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. + +- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. +- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- New [public API](https://docs.microsoft.com/en-us/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). + +For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) + +## Accessibility and Privacy + +### Accessibility + +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. + +### Privacy + +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. + +## Security + +### Security Baselines + +The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. + +### Windows Defender Antivirus + +Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). + +### Windows Defender Exploit Guard + +Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center. + +For more information, see [Reduce attack surfaces with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) + +### Windows Defender ATP + +[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: + +- [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) +- [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) +- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) + +Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) + +### Windows Defender Application Guard + +Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements) + +### Windows Defender Device Guard + +Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide). + +### Windows Information Protection + +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). + +### Office 365 Ransomware Detection + +For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) + +## Windows Analytics + +### Upgrade Readiness + +Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see [Upgrade Readiness now helps assess Spectre and Meltdown protections](https://blogs.technet.microsoft.com/upgradeanalytics/2018/02/13/upgrade-readiness-now-helps-assess-spectre-and-meltdown-protections/) + +### Update Compliance + +Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-delivery-optimization) + +### Device Health + +Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see [Using Device Health](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-using) + +## Microsoft Edge + +iOS and Android versions of Edge are now available. For more information, see [Microsoft Edge Tips](https://microsoftedgetips.microsoft.com/en-us?source=firstrunwip). + +Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved. + + +## See Also + +[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
                  +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
                  +[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
                  +[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.