deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Acrolinx enhancement effort

Browse Source
This commit is contained in:
Siddarth Mandalika 2022-03-29 17:18:17 +05:30
parent 61f8dc827a
commit c038667431
16 changed files with 250 additions and 250 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/client-management/mdm/policy-csp-admx-wcm.md
View File

@ -68,9 +68,9 @@ manager: dansimp
<!--Description-->
This policy setting specifies that power management is disabled when the machine enters connected standby mode.
If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode.
If this policy setting is enabled, Windows Connection Manager doesn't manage adapter radios to reduce power consumption when the machine enters connected standby mode.
If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode.
If this policy setting isn't configured or is disabled, power management is enabled when the machine enters connected standby mode.
<!--/Description-->
@ -121,9 +121,9 @@ When soft disconnect is enabled:
- When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted.
- Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection.
- When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when theyre not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network.
- When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when theyre not actively using it (for example, email apps) might lose their connection. If this connection loss happens, these apps should re-establish their connection over a different network.
This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks.
This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows won't disconnect from any networks.
<!--/Description-->
@ -167,9 +167,9 @@ ADMX Info:
<!--Description-->
This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed.
If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8.
If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This value of 0 was previously the "Disabled" state for this policy setting. This option was first available in Windows 8.
If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setting. This option was first available in Windows 8.
If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This value of 1 was previously the "Enabled" state for this policy setting. This option was first available in Windows 8.
If this policy setting is set to 2, the behavior is similar to 1. However, if a cellular data connection is available, it will always stay connected for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection, no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703).

8
windows/client-management/mdm/policy-csp-admx-wdi.md
View File

@ -66,10 +66,10 @@ manager: dansimp
<!--Description-->
This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data.
- If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached.
- If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size.
- If you disable or don't configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size.
No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
This policy setting will only take effect when the Diagnostic Policy Service is in the running state.
When the service is stopped or disabled, diagnostic scenario data will not be deleted.
When the service is stopped or disabled, diagnostic scenario data won't be deleted.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
<!--/Description-->
@ -117,9 +117,9 @@ This policy setting determines the execution level for Diagnostic Policy Service
If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available.
- If you disable this policy setting, Windows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS.
- If you disable this policy setting, Windows can't detect, troubleshoot, or resolve any problems that are handled by the DPS.
If you do not configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
If you don't configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. This policy setting takes precedence over any scenario-specific policy settings when it's enabled or disabled. Scenario-specific policy settings only take effect if this policy setting isn't configured. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
<!--/Description-->

16
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -274,7 +274,7 @@ manager: dansimp
<!--Description-->
This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths.
If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted.
If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files aren't copied or deleted. The temporary file is deleted.
If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different.
@ -2106,7 +2106,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to turn off caching of thumbnail pictures.
If you enable this policy setting, thumbnail views are not cached.
If you enable this policy setting, thumbnail views aren't cached.
If you disable or do not configure this policy setting, thumbnail views are cached.
@ -2859,13 +2859,13 @@ ADMX Info:
<!--Description-->
Prevents users from submitting alternate logon credentials to install a program.
This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.
This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who aren't administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.
Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly.
If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer.
By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting.
By default, users aren't prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting.
<!--/Description-->
@ -3350,10 +3350,10 @@ If you disable this setting or do not configure it, this dialog box appears only
The "Install Program as Other User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.
If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly.
If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions aren't sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly.
> [!NOTE]
> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation.
> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users aren't prompted for alternate logon credentials on any installation.
<!--/Description-->
@ -3444,7 +3444,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications aren't able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.
@ -3492,7 +3492,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications aren't able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.

104
windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
View File

@ -130,13 +130,13 @@ If you enable this policy setting, select one of the following proxy types:
If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified because no default settings are used for the proxy. The options are ignored if Autodetect or Browser is selected.
The Configure button on the Network tab in the Player is not available for the HTTP protocol and the proxy cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden.
The Configure button on the Network tab in the Player isn't available for the HTTP protocol and the proxy can't be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden.
This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP is not selected.
This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP isn't selected.
If you disable this policy setting, the HTTP proxy server cannot be used and the user cannot configure the HTTP proxy.
If you disable this policy setting, the HTTP proxy server can't be used and the user can't configure the HTTP proxy.
If you do not configure this policy setting, users can configure the HTTP proxy settings.
If you don't configure this policy setting, users can configure the HTTP proxy settings.
<!--/Description-->
@ -187,13 +187,13 @@ If you enable this policy setting, select one of the following proxy types:
If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected.
The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden.
The Configure button on the Network tab in the Player isn't available and the protocol can't be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden.
This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast is not selected.
This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast isn't selected.
If you disable this policy setting, the MMS proxy server cannot be used and users cannot configure the MMS proxy settings.
If you disable this policy setting, the MMS proxy server can't be used and users can't configure the MMS proxy settings.
If you do not configure this policy setting, users can configure the MMS proxy settings.
If you don't configure this policy setting, users can configure the MMS proxy settings.
<!--/Description-->
@ -244,11 +244,11 @@ If you enable this policy setting, select one of the following proxy types:
If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected.
The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden.
The Configure button on the Network tab in the Player isn't available and the protocol can't be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden.
If you disable this policy setting, the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings.
If you disable this policy setting, the RTSP proxy server can't be used and users can't change the RTSP proxy settings.
If you do not configure this policy setting, users can configure the RTSP proxy settings.
If you don't configure this policy setting, users can configure the RTSP proxy settings.
<!--/Description-->
@ -294,9 +294,9 @@ This policy setting allows you to turn off do not show first use dialog boxes.
If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player.
This policy setting prevents the dialog boxes which allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies.
This policy setting prevents the dialog boxes that allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies.
If you disable or do not configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time.
If you disable or don't configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time.
<!--/Description-->
@ -342,7 +342,7 @@ This policy setting allows you to hide the Network tab.
If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player.
If you disable or do not configure this policy setting, the Network tab appears and users can use it to configure network settings.
If you disable or don't configure this policy setting, the Network tab appears and users can use it to configure network settings.
<!--/Description-->
@ -386,11 +386,11 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode.
If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available.
If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays isn't available.
If you disable or do not configure this policy setting, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player.
If you disable or don't configure this policy setting, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player.
If you do not configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window are not available.
If you don't configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window aren't available.
<!--/Description-->
@ -434,11 +434,11 @@ ADMX Info:
<!--Description-->
This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode.
This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available.
This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays isn't available.
When this policy is not configured or disabled, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player.
When this policy isn't configured or disabled, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player.
When this policy is not configured and the Set and Lock Skin policy is enabled, some options in the anchor window are not available.
When this policy isn't configured and the Set and Lock Skin policy is enabled, some options in the anchor window aren't available.
<!--/Description-->
@ -482,11 +482,11 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent video smoothing from occurring.
If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available.
If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and isn't available.
If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check box is selected and is not available.
If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check box is selected and isn't available.
If you do not configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box.
If you don't configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box.
Video smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems.
@ -532,11 +532,11 @@ ADMX Info:
<!--Description-->
This policy setting allows a screen saver to interrupt playback.
If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available.
If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and isn't available.
If you disable this policy setting, a screen saver does not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and is not available.
If you disable this policy setting, a screen saver doesn't interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and isn't available.
If you do not configure this policy setting, users can change the setting for the Allow screen saver during playback check box.
If you don't configure this policy setting, users can change the setting for the Allow screen saver during playback check box.
<!--/Description-->
@ -584,7 +584,7 @@ If you enable this policy setting, the "Update my music files (WMA and MP3 files
The default privacy settings are used for the options on the Privacy tab unless the user changed the settings previously.
If you disable or do not configure this policy setting, the Privacy tab is not hidden, and users can configure any privacy settings not configured by other polices.
If you disable or don't configure this policy setting, the Privacy tab isn't hidden, and users can configure any privacy settings not configured by other policies.
<!--/Description-->
@ -630,7 +630,7 @@ This policy setting allows you to hide the Security tab in Windows Media Player.
If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies.
If you disable or do not configure this policy setting, users can configure the security settings on the Security tab.
If you disable or don't configure this policy setting, users can configure the security settings on the Security tab.
<!--/Description-->
@ -674,14 +674,14 @@ ADMX Info:
<!--Description-->
This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds.
If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played.
If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it's played.
- Custom: the number of seconds, up to 60, that streaming media is buffered.
- Default: default network buffering is used and the number of seconds that is specified is ignored.
The "Use default buffering" and "Buffer" options on the Performance tab in the Player are not available.
The "Use default buffering" and "Buffer" options on the Performance tab in the Player aren't available.
If you disable or do not configure this policy setting, users can change the buffering options on the Performance tab.
If you disable or don't configure this policy setting, users can change the buffering options on the Performance tab.
<!--/Description-->
@ -725,11 +725,11 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent Windows Media Player from downloading codecs.
If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available.
If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player isn't available.
If you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box is not available.
If you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box isn't available.
If you do not configure this policy setting, users can change the setting for the Download codecs automatically check box.
If you don't configure this policy setting, users can change the setting for the Download codecs automatically check box.
<!--/Description-->
@ -773,9 +773,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.
If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available.
If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player aren't selected and aren't available.
If you disable or do not configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box.
If you disable or don't configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box.
<!--/Description-->
@ -821,7 +821,7 @@ This policy setting allows you to prevent media sharing from Windows Media Playe
If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature.
If you disable or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on or off.
If you disable or don't configure this policy setting, anyone using Windows Media Player can turn media sharing on or off.
<!--/Description-->
@ -865,9 +865,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent media information for music files from being retrieved from the Internet.
If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available.
If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player aren't selected and aren't available.
If you disable or do not configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box.
If you disable or don't configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box.
<!--/Description-->
@ -911,9 +911,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar.
If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar.
If you enable this policy setting, the user can't add the shortcut for the Player to the Quick Launch bar.
If you disable or do not configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar.
If you disable or don't configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar.
<!--/Description-->
@ -956,9 +956,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent radio station presets from being retrieved from the Internet.
If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed.
If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured aren't updated, and the presets that a user adds aren't displayed.
If you disable or do not configure this policy setting, the Player automatically retrieves radio station presets from the Internet.
If you disable or don't configure this policy setting, the Player automatically retrieves radio station presets from the Internet.
<!--/Description-->
@ -1002,9 +1002,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop.
If you enable this policy setting, users cannot add the Player shortcut icon to their desktops.
If you enable this policy setting, users can't add the Player shortcut icon to their desktops.
If you disable or do not configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops.
If you disable or don't configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops.
<!--/Description-->
@ -1050,11 +1050,11 @@ This policy setting allows you to set and lock Windows Media Player in skin mode
If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab.
You must use the complete file name for the skin (for example, skin_name.wmz), and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin is not installed on a user's computer, or if the Skin box is blank, the Player opens by using the Corporate skin. The only way to specify the Corporate skin is to leave the Skin box blank.
You must use the complete file name for the skin (for example, skin_name.wmz), and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin isn't installed on a user's computer, or if the Skin box is blank, the Player opens by using the Corporate skin. The only way to specify the Corporate skin is to leave the Skin box blank.
A user has access only to the Player features that are available with the specified skin. Users cannot switch the Player to full mode and cannot choose a different skin.
A user has access only to the Player features that are available with the specified skin. Users can't switch the Player to full mode and can't choose a different skin.
If you disable or do not configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player.
If you disable or don't configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player.
<!--/Description-->
@ -1098,13 +1098,13 @@ ADMX Info:
<!--Description-->
This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services.
If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected.
If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user doesn't specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected.
If you enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the administrator does not specify any protocols, the Player cannot access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden.
If you enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the administrator doesn't specify any protocols, the Player can't access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden.
If you do not configure this policy setting, users can select the protocols to use on the Network tab.
If you don't configure this policy setting, users can select the protocols to use on the Network tab.
If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server.
If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab aren't available and the Player can't receive an MMS or RTSP stream from a Windows Media server.
<!--/Description-->

8
windows/client-management/mdm/policy-csp-admx-wininit.md
View File

@ -70,9 +70,9 @@ manager: dansimp
<!--Description-->
This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shut down this system from a remote Windows XP or Windows Server 2003 system.
If you enable this policy setting, the system does not create the named pipe remote shutdown interface.
If you enable this policy setting, the system doesn't create the named pipe remote shutdown interface.
If you disable or do not configure this policy setting, the system creates the named pipe remote shutdown interface.
If you disable or don't configure this policy setting, the system creates the named pipe remote shutdown interface.
<!--/Description-->
@ -119,7 +119,7 @@ This policy setting controls the use of fast startup.
If you enable this policy setting, the system requires hibernate to be enabled.
If you disable or do not configure this policy setting, the local setting is used.
If you disable or don't configure this policy setting, the local setting is used.
<!--/Description-->
@ -166,7 +166,7 @@ This policy setting configures the number of minutes the system waits for the hu
If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified.
If you disable or do not configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers.
If you disable or don't configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers.
<!--/Description-->

32
windows/client-management/mdm/policy-csp-admx-winlogon.md
View File

@ -79,9 +79,9 @@ manager: dansimp
<!--Description-->
Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface.
If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file.
If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file isn't located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file.
If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface.
If you disable this setting or don't configure it, the setting is ignored and the system displays the Explorer interface.
> [!TIP]
> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path.
@ -127,13 +127,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting controls whether or not the system displays information about previous logons and logon failures to the user.
This policy setting controls whether or not the system displays information about previous sign-ins and sign-in failures to the user.
For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop.
For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful sign in by that user, the date and time of the last unsuccessful sign in attempted with that user name, and the number of unsuccessful logons since the last successful sign in by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop.
For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level.
For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows couldn't retrieve the information and the user won't be able to sign in. Therefore, you shouldn't enable this policy setting if the domain isn't at the Windows Server 2008 domain functional level.
If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed.
If you disable or don't configure this setting, messages about the previous sign in or sign-in failures aren't displayed.
<!--/Description-->
@ -177,11 +177,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire.
This policy controls whether the signed-in user should be notified when their sign-in hours are about to expire. By default, a user is notified before sign-in hours expire, if actions have been set to occur when the sign-in hours expire.
If you enable this setting, warnings are not displayed to the user before the logon hours expire.
If you enable this setting, warnings aren't displayed to the user before the sign-in hours expire.
If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire.
If you disable or don't configure this setting, users receive warnings before the sign-in hours expire, if actions have been set to occur when the sign-in hours expire.
> [!NOTE]
> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration
@ -227,13 +227,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely.
This policy controls which action will be taken when the sign-in hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely.
If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours.
If you choose to lock or disconnect a session, the user can't unlock the session or reconnect except during permitted sign-in hours.
If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the users logon hours expire.
If you choose to sign out a user, the user can't sign in again except during permitted sign-in hours. If you choose to sign out a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the users sign-in hours expire.
If you disable or do not configure this setting, the system takes no action when the users logon hours expire. The user can continue the existing session, but cannot log on to a new session.
If you disable or don't configure this setting, the system takes no action when the users sign-in hours expire. The user can continue the existing session, but can't sign in to a new session.
> [!NOTE]
> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting.
@ -280,7 +280,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information.
This policy controls whether the signed-in user should be notified if the sign-in server couldn't be contacted during sign in and if they've been signed in using previously stored account information.
If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials.
@ -331,12 +331,12 @@ This policy setting controls whether or not software can simulate the Secure Att
If you enable this policy setting, you have one of four options:
- If you set this policy setting to "None," user mode software cannot simulate the SAS.
- If you set this policy setting to "None," user mode software can't simulate the SAS.
- If you set this policy setting to "Services," services can simulate the SAS.
- If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS.
- If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS.
If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS.
If you disable or don't configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS.
<!--/Description-->

4
windows/client-management/mdm/policy-csp-admx-winsrv.md
View File

@ -66,8 +66,8 @@ This policy setting specifies whether Windows will allow console applications an
By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely.
- If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown will not be automatically terminated during shutdown.
- If you disable or do not configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that windows can shut down faster and more smoothly.
- If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown won't be automatically terminated during shutdown.
- If you disable or don't configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that windows can shut down faster and more smoothly.
> [!NOTE]
> This policy setting applies to all sites in Trusted zones.

8
windows/client-management/mdm/policy-csp-admx-wlansvc.md
View File

@ -72,8 +72,8 @@ This policy setting configures the cost of Wireless LAN (WLAN) connections on th
If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine:
- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default.
- Fixed: Use of this connection isn't restricted by usage charges and capacity constraints up to a certain data limit.
- Variable: This connection is costed on a per byte basis. If this policy setting is disabled or isn't configured, the cost of Wireless LAN connections is Unrestricted by default.
<!--/Description-->
@ -119,7 +119,7 @@ This policy applies to Wireless Display connections. This policy means that the
Conversely it means that Push Button is NOT allowed.
If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred).
If this policy setting is disabled or isn't configured, by default Push Button pairing is allowed (but not necessarily preferred).
<!--/Description-->
@ -165,7 +165,7 @@ This policy applies to Wireless Display connections. This policy changes the pre
When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method.
If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies).
If this policy setting is disabled or isn't configured, by default Push Button pairing is preferred (if allowed by other policies).
<!--/Description-->

10
windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
View File

@ -72,8 +72,8 @@ This policy setting specifies whether Work Folders should be set up automaticall
- If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer.
This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user, Work Folders is not automatically set up.
- If you disable or do not configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user.
This folder creation prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting doesn't apply to a user, Work Folders isn't automatically set up.
- If you disable or don't configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user.
<!--/Description-->
@ -116,7 +116,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer.
This policy setting specifies the Work Folders server for affected users, and whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer.
- If you enable this policy setting, affected users receive Work Folders settings when they sign in to a domain-joined PC.
@ -129,9 +129,9 @@ The “On-demand file access preference” option controls whether to enable on-
- If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the users files is required on each of their PCs.
If you specify User choice or do not configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled.
If you specify User choice or don't configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled.
The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option is not specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders.
The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This automatic setup prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option isn't specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders.
<!--/Description-->

36
windows/client-management/mdm/policy-csp-admx-wpn.md
View File

@ -79,11 +79,11 @@ manager: dansimp
<!--Description-->
This policy setting blocks voice and video calls during Quiet Hours.
If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings.
If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users won't be able to customize any other Quiet Hours settings.
If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings.
If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users won't be able to customize this or any other Quiet Hours settings.
If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting.
If you don't configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting.
<!--/Description-->
@ -128,9 +128,9 @@ ADMX Info:
<!--Description-->
This policy setting turns off toast notifications on the lock screen.
If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen.
If you enable this policy setting, applications won't be able to raise toast notifications on the lock screen.
If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user.
If you disable or don't configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user.
No reboots or service restarts are required for this policy setting to take effect.
@ -177,11 +177,11 @@ ADMX Info:
<!--Description-->
This policy setting turns off Quiet Hours functionality.
If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day.
If you enable this policy setting, toast notifications won't be suppressed and some background tasks won't be deferred during the designated Quiet Hours time window each day.
If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings.
If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users won't be able to change this or any other Quiet Hours settings.
If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user.
If you don't configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user.
<!--/Description-->
@ -226,13 +226,13 @@ ADMX Info:
<!--Description-->
This policy setting turns off toast notifications for applications.
If you enable this policy setting, applications will not be able to raise toast notifications.
If you enable this policy setting, applications won't be able to raise toast notifications.
Note that this policy does not affect taskbar notification balloons.
This policy doesn't affect taskbar notification balloons.
Note that Windows system features are not affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications.
Windows system features aren't affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications.
If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user.
If you disable or don't configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user.
No reboots or service restarts are required for this policy setting to take effect.
@ -279,11 +279,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day.
If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings.
If you enable this policy setting, the specified time will be used, and users won't be able to customize any Quiet Hours settings.
If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting.
If you disable this policy setting, a default value will be used, and users won't be able to change it or any other Quiet Hours setting.
If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify.
If you don't configure this policy setting, a default value will be used, which administrators and users will be able to modify.
<!--/Description-->
@ -328,11 +328,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day.
If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings.
If you enable this policy setting, the specified time will be used, and users won't be able to customize any Quiet Hours settings.
If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting.
If you disable this policy setting, a default value will be used, and users won't be able to change it or any other Quiet Hours setting.
If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify.
If you don't configure this policy setting, a default value will be used, which administrators and users will be able to modify.
<!--/Description-->

2
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -159,7 +159,7 @@ Here's the SyncMl example:
<!--Description-->
This policy setting determines whether Windows supports web-to-app linking with app URI handlers.
Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI.
Enabling this policy setting enables web-to-app linking so that apps can be launched with an http(s) URI.
Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.

24
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ApplicationManagement
description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10.
description: Learn about various Policy configuration service providers (CSP) - ApplicationManagement, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -101,9 +101,9 @@ This policy setting controls whether the system can archive infrequently used ap
- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps.
- If you disable this policy setting, then the system will not archive any apps.
- If you disable this policy setting, then the system won't archive any apps.
If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves.
If you don't configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves.
<!--/Description-->
<!--ADMXMapped-->
@ -203,7 +203,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Specifies whether automatic update of apps from Microsoft Store are allowed.
Specifies whether automatic update of apps from Microsoft Store is allowed.
Most restricted value is 0.
@ -308,7 +308,7 @@ The following list shows the supported values:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
Specifies whether DVR and broadcasting is allowed.
Specifies whether DVR and broadcasting are allowed.
Most restricted value is 0.
@ -414,7 +414,7 @@ Manages non-administrator users' ability to install Windows app packages.
If you enable this policy, non-administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies.
If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages.
If you disable or don't configure this policy, all users will be able to initiate installation of Windows app packages.
<!--/Description-->
<!--ADMXMapped-->
@ -428,7 +428,7 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - Disabled. All users will be able to initiate installation of Windows app packages.
- 1 - Enabled. Non-administrator users will not be able to initiate installation of Windows app packages.
- 1 - Enabled. Non-administrator users won't be able to initiate installation of Windows app packages.
<!--/SupportedValues-->
<!--Example-->
@ -514,9 +514,9 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after logon. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device.
List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after a sign in. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device.
For this policy to work, the Windows apps need to declare in their manifest that they will use the start up task. Example of the declaration here:
For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. Example of the declaration here:
```xml
<desktop:Extension Category="windows.startupTask">
@ -571,7 +571,7 @@ Added in Windows 10, version 1803. This policy setting permits users to change i
If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation.
If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed.
If you disable or don't configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed.
If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user.
@ -623,9 +623,9 @@ This setting supports a range of values between 0 and 1.
<!--Description-->
Added in Windows 10, version 1803. This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.
If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
If you enable this policy setting, privileges are extended to all programs. These privileges are reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.
If you disable or don't configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator doesn't distribute or offer.
> [!NOTE]
> This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.

42
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -361,15 +361,15 @@ ADMX Info:
<!--Description-->
Reporting Server URL: Displays the URL of reporting server.
Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.
Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, for example, 9AM.
Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load.
Repeat reporting for every (days): The periodical interval in days for sending the reporting data.
Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.
Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this deletion occurs, and won't be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.
Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When report data is being transmitted to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these components won't factor into the block size calculations; the potential exists for a large package list to result in transmission failures over low bandwidth or unreliable connections.
<!--/Description-->
@ -412,7 +412,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
Specifies the file paths relative to %userprofile% that don't roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
<!--/Description-->
@ -455,7 +455,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
Specifies the registry paths that don't roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
<!--/Description-->
@ -541,7 +541,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
Migration mode allows the App-V client to modify shortcuts and FTAs for packages created using a previous version of App-V.
<!--/Description-->
@ -584,7 +584,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links aren't used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
<!--/Description-->
@ -627,7 +627,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links aren't used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
<!--/Description-->
@ -676,7 +676,7 @@ Publishing Server URL: Displays the URL of publishing server.
Global Publishing Refresh: Enables global publishing refresh (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in(Boolean).
Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
@ -684,7 +684,7 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23,
User Publishing Refresh: Enables user publishing refresh (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean).
User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
@ -737,7 +737,7 @@ Publishing Server URL: Displays the URL of publishing server.
Global Publishing Refresh: Enables global publishing refresh (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean).
Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
@ -745,7 +745,7 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23,
User Publishing Refresh: Enables user publishing refresh (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on la sign in (Boolean).
User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
@ -798,7 +798,7 @@ Publishing Server URL: Displays the URL of publishing server.
Global Publishing Refresh: Enables global publishing refresh (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean).
Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
@ -806,7 +806,7 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23,
User Publishing Refresh: Enables user publishing refresh (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean).
User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
@ -859,7 +859,7 @@ Publishing Server URL: Displays the URL of publishing server.
Global Publishing Refresh: Enables global publishing refresh (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean).
Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
@ -867,7 +867,7 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23,
User Publishing Refresh: Enables user publishing refresh (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean).
User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
@ -920,7 +920,7 @@ Publishing Server URL: Displays the URL of publishing server.
Global Publishing Refresh: Enables global publishing refresh (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean).
Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
@ -928,7 +928,7 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23,
User Publishing Refresh: Enables user publishing refresh (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean).
User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
@ -1018,7 +1018,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (for example, 4G).
<!--/Description-->
@ -1276,7 +1276,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Specifies that streamed package contents will be not be saved to the local hard disk.
Specifies that streamed package contents won't be saved to the local hard disk.
<!--/Description-->
@ -1319,7 +1319,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support isn't desired, this setting should be disabled. The client can then apply HTTP optimizations that are incompatible with BranchCache.
<!--/Description-->

14
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -70,13 +70,13 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This feature requires NTFS in order to function correctly, and will fail without notice on FAT32. If the zone information is not preserved, Windows can't make proper risk assessments.
If you enable this policy setting, Windows does not mark file attachments with their zone information.
If you enable this policy setting, Windows doesn't mark file attachments with their zone information.
If you disable this policy setting, Windows marks file attachments with their zone information.
If you do not configure this policy setting, Windows marks file attachments with their zone information.
If you don't configure this policy setting, Windows marks file attachments with their zone information.
<!--/Description-->
@ -126,7 +126,7 @@ If you enable this policy setting, Windows hides the check box and Unblock butto
If you disable this policy setting, Windows shows the check box and Unblock button.
If you do not configure this policy setting, Windows hides the check box and Unblock button.
If you don't configure this policy setting, Windows hides the check box and Unblock button.
<!--/Description-->
@ -170,13 +170,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, the subsequent calls would be redundant.
If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
If you disable this policy setting, Windows doesn't call the registered antivirus programs when file attachments are opened.
If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
If you don't configure this policy setting, Windows doesn't call the registered antivirus programs when file attachments are opened.
<!--/Description-->

156
windows/client-management/mdm/policy-csp-audit.md
View File

@ -231,7 +231,7 @@ This policy setting allows you to audit events generated by a failed attempt to
If you configure this policy setting, an audit event is generated when an account can't sign in to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts.
Sign in events are essential for understanding user activity and to detect potential attacks.
Sign-in events are essential for understanding user activity and to detect potential attacks.
Volume: Low.
@ -287,7 +287,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy allows you to audit the group membership information in the user's sign in token. Events in this subcategory are generated on the computer on which a sign in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
This policy allows you to audit the group membership information in the user's sign-in token. Events in this subcategory are generated on the computer on which a sign-in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
When this setting is configured, one or more security audit events are generated for each successful sign in. Enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information can't fit in a single security audit event.
@ -347,7 +347,7 @@ The following are the supported values:
This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation.
If you don't configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation.
Volume: High.
@ -518,10 +518,10 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by the closing of a sign in session. These events occur on the computer that was accessed. For an interactive sign out the security audit event is generated on the computer that the user account logged on to.
This policy setting allows you to audit events generated by the closing of a sign-in session. These events occur on the computer that was accessed. For an interactive sign out the security audit event is generated on the computer that the user account logged on to.
If you configure this policy setting, an audit event is generated when a sign in session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions.
If you don't configure this policy setting, no audit event is generated when a sign in session is closed.
If you configure this policy setting, an audit event is generated when a sign-in session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions.
If you don't configure this policy setting, no audit event is generated when a sign-in session is closed.
Volume: Low.
<!--/Description-->
@ -576,12 +576,12 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by user account sign in attempts on the computer.
Events in this subcategory are related to the creation of sign in sessions and occur on the computer that was accessed. For an interactive sign in, the security audit event is generated on the computer that the user account logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
This policy setting allows you to audit events generated by user account sign-in attempts on the computer.
Events in this subcategory are related to the creation of sign in sessions and occur on the computer that was accessed. For an interactive sign in, the security audit event is generated on the computer that the user account signed in to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
The following events are included:
- Successful sign in attempts.
- Failed sign in attempts.
- sign in attempts using explicit credentials. This event is generated when a process attempts to sign in an account by explicitly specifying that accounts credentials. This most commonly occurs in batch sign in configurations, such as scheduled tasks or when using the RUNAS command.
- Sign-in attempts using explicit credentials. This event is generated when a process attempts to sign in an account by explicitly specifying that accounts credentials. This process most commonly occurs in batch sign-in configurations, such as scheduled tasks or when using the RUNAS command.
- Security identifiers (SIDs) were filtered and not allowed to sign in.
Volume: Low on a client computer. Medium on a domain controller or a network server.
@ -639,7 +639,7 @@ The following are the supported values:
<!--Description-->
This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts.
If you do not configure this policy settings, IAS and NAP user access requests are not audited.
If you don't configure this policy settings, IAS and NAP user access requests aren't audited.
Volume: Medium or High on NPS and IAS server. No volume on other computers.
<!--/Description-->
@ -713,7 +713,7 @@ GP Info:
<!--/DbMapped-->
<!--SupportedValues-->
The following are the supported values:
The following values are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@ -757,7 +757,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by special logons, such as the following:
This policy setting allows you to audit events generated by special sign ins, such as:
- The use of a special sign in, which is a sign in that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
- A sign in by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during sign in and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon).
@ -814,11 +814,11 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy allows you to audit user and device claims information in the user's sign in token. Events in this subcategory are generated on the computer on which a sign in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
This policy allows you to audit user and device claims information in the user's sign-in token. Events in this subcategory are generated on the computer on which a sign-in session is created. For an interactive sign in, the security audit event is generated on the computer that the user signed in to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
User claims are added to a sign in token when claims are included with a user's account attributes in Active Directory. Device claims are added to the sign in token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on.
User claims are added to a sign-in token when claims are included with a user's account attributes in Active Directory. Device claims are added to the sign-in token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on.
When this setting is configured, one or more security audit events are generated for each successful sign in. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event.
When this setting is configured, one or more security audit events are generated for each successful sign in. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information can't fit in a single security audit event.
Volume: Low on a client computer. Medium on a domain controller or a network server.
<!--/Description-->
@ -873,7 +873,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by validation tests on user account sign in credentials.
This policy setting allows you to audit events generated by validation tests on user account sign-in credentials.
Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
@ -933,7 +933,7 @@ The following are the supported values:
This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests.
If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request.
If you don't configure this policy setting, no audit event is generated after a Kerberos authentication TGT request.
Volume: High on Kerberos Key Distribution Center servers.
<!--/Description-->
@ -991,7 +991,7 @@ The following are the supported values:
This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests.
If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account.
If you don't configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account.
Volume: Low.
<!--/Description-->
@ -1046,7 +1046,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by responses to credential requests submitted for a user account sign in that are not credential validation or Kerberos tickets.
This policy setting allows you to audit events generated by responses to credential requests submitted for a user account sign in that aren't credential validation or Kerberos tickets.
Currently, there are no events in this subcategory.
@ -1107,7 +1107,7 @@ This policy setting allows you to audit events generated by changes to applicati
- Member is added or removed from an application group.
If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an application group changes.
If you don't configure this policy setting, no audit event is generated when an application group changes.
Volume: Low.
<!--/Description-->
@ -1165,7 +1165,7 @@ The following are the supported values:
This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a computer account changes.
If you don't configure this policy setting, no audit event is generated when a computer account changes.
Volume: Low.
<!--/Description-->
@ -1226,7 +1226,7 @@ This policy setting allows you to audit events generated by changes to distribut
- Distribution group type is changed.
If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a distribution group changes.
If you don't configure this policy setting, no audit event is generated when a distribution group changes.
> [!Note]
> Events in this subcategory are logged only on domain controllers.
@ -1284,15 +1284,15 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by other user account changes that are not covered in this category as follows:
- The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration.
This policy setting allows you to audit events generated by other user account changes that aren't covered in this category, such as:
- The password hash of a user account was accessed. This change happens during an Active Directory Management Tool password migration.
- The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack.
- Changes to the Default Domain Group Policy under the following Group Policy paths:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
> [!Note]
> The security audit event is logged when the policy setting is applied. It does not occur at the time when the settings are modified.
> The security audit event is logged when the policy setting is applied. It doesn't occur at the time when the settings are modified.
Volume: Low.
<!--/Description-->
@ -1347,13 +1347,13 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by changes to security groups, such as the following:
This policy setting allows you to audit events generated by changes to security groups, such as:
- Security group is created, changed, or deleted.
- Member is added or removed from a security group.
- Group type is changed.
If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a security group changes.
If you don't configure this policy setting, no audit event is generated when a security group changes.
Volume: Low.
<!--/Description-->
@ -1418,7 +1418,7 @@ The events included are as follows:
- Credential Manager credentials are backed up or restored.
If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a user account changes.
If you don't configure this policy setting, no audit event is generated when a user account changes.
Volume: Low.
<!--/Description-->
@ -1595,10 +1595,10 @@ When possible, events logged in this subcategory indicate the old and new values
Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged.
> [!Note]
> Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
> Actions on some objects and properties don't cause audit events to be generated due to settings on the object class in the schema.
If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded.
If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made.
If you don't configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made.
Volume: High on domain controllers only.
<!--/Description-->
@ -1656,7 +1656,7 @@ The following are the supported values:
This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers.
If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication.
If you do not configure this policy setting, no audit event is generated during AD DS replication.
If you don't configure this policy setting, no audit event is generated during AD DS replication.
>[!Note]
> Events in this subcategory are logged only on domain controllers.
@ -1717,7 +1717,7 @@ The following are the supported values:
This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720.
If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests.
If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI.
If you don't configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI.
Volume: Low.
<!--/Description-->
@ -1774,7 +1774,7 @@ The following are the supported values:
This policy setting allows you to audit when plug and play detects an external device.
If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category.
If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play.
Volume: Low.
<!--/Description-->
@ -1831,7 +1831,7 @@ The following are the supported values:
This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited.
If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a process is created.
If you don't configure this policy setting, no audit event is generated when a process is created.
Volume: Depends on how the computer is used.
<!--/Description-->
@ -1888,7 +1888,7 @@ The following are the supported values:
This policy setting allows you to audit events generated when a process ends.
If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a process ends.
If you don't configure this policy setting, no audit event is generated when a process ends.
Volume: Depends on how the computer is used.
<!--/Description-->
@ -1945,7 +1945,7 @@ The following are the supported values:
This policy setting allows you to audit inbound remote procedure call (RPC) connections.
If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted.
If you don't configure this policy setting, no audit event is generated when a remote RPC connection is attempted.
Volume: High on RPC servers.
<!--/Description-->
@ -2115,11 +2115,11 @@ The following are the supported values:
<!--Description-->
This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object.
If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows:
If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that of the permission granted by the proposed policy. The resulting audit event will be generated as follows:
1. Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access.
2. Failure audits when configured records access attempts when:
- The current central access policy does not grant access but the proposed policy grants access.
- A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
- The current central access policy doesn't grant access but the proposed policy grants access.
- A principal requests the maximum access rights they're allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy.
@ -2176,7 +2176,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations.
AD CS operations include the following:
AD CS operations include:
- AD CS startup/shutdown/backup/restore.
- Changes to the certificate revocation list (CRL).
@ -2368,7 +2368,7 @@ The following are the supported values:
This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder).
If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL.
If you don't configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL.
> [!Note]
> You can set a SACL on a file system object using the Security tab in that object's Properties dialog box.
@ -2439,7 +2439,7 @@ The following events are included:
If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked.
If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP.
If you don't configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP.
Volume: High.
<!--/Description-->
@ -2551,10 +2551,10 @@ The following are the supported values:
This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events.
If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a handle is manipulated.
If you don't configure this policy setting, no audit event is generated when a handle is manipulated.
> [!Note]
> Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated.
> Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access isn't enabled, handle manipulation security audit events will not be generated.
Volume: Depends on how SACLs are configured.
<!--/Description-->
@ -2734,7 +2734,7 @@ The following are the supported values:
This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL.
If you don't configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL.
> [!Note]
> You can set a SACL on a registry object using the Permissions dialog box.
@ -2795,7 +2795,7 @@ This policy setting allows you to audit user attempts to access file system obje
If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage.
If you don't configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage.
<!--/Description-->
<!--DbMapped-->
@ -2849,20 +2849,20 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects.
SAM objects include the following:
SAM objects include:
- SAM_ALIAS -- A local group.
- SAM_GROUP -- A group that is not a local group.
- SAM_GROUP -- A group that isn't a local group.
- SAM_USER A user account.
- SAM_DOMAIN A domain.
- SAM_SERVER A computer account.
If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made.
If you don't configure this policy setting, no audit event is generated when an attempt to access a kernel object is made.
> [!Note]
> Only the System Access Control List (SACL) for SAM_SERVER can be modified.
Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698).
Volume: High on domain controllers. For information about reducing the number of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698).
<!--/Description-->
<!--DbMapped-->
@ -2915,7 +2915,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by changes to the authentication policy, such as the following:
This policy setting allows you to audit events generated by changes to the authentication policy, such as:
- Creation of forest and domain trusts.
- Modification of forest and domain trusts.
- Removal of forest and domain trusts.
@ -2929,10 +2929,10 @@ This policy setting allows you to audit events generated by changes to the authe
- Namespace collision. For example, when a new trust has the same name as an existing namespace name.
If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when the authentication policy is changed.
If you don't configure this policy setting, no audit event is generated when the authentication policy is changed.
> [!Note]
> The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified.
> The security audit event is logged when the group policy is applied. It doesn't occur at the time when the settings are modified.
Volume: Low.
<!--/Description-->
@ -2987,15 +2987,15 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by changes to the authorization policy, such as the following:
- Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory.
- Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory.
This policy setting allows you to audit events generated by changes to the authorization policy, such as:
- Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the “Authentication Policy Change” subcategory.
- Removal of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the “Authentication Policy Change” subcategory.
- Changes in the Encrypted File System (EFS) policy.
- Changes to the Resource attributes of an object.
- Changes to the Central Access Policy (CAP) applied to an object.
If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when the authorization policy changes.
If you don't configure this policy setting, no audit event is generated when the authorization policy changes.
Volume: Low.
<!--/Description-->
@ -3050,14 +3050,14 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as the following:
This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as:
- IPsec services status.
- Changes to IPsec policy settings.
- Changes to Windows Firewall policy settings.
- Changes to WFP providers and engine.
If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP.
If you don't configure this policy setting, no audit event is generated when a change occurs to the WFP.
Volume: Low.
<!--/Description-->
@ -3113,7 +3113,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall.
Events include the following:
Events include:
- Reporting of active policies when Windows Firewall service starts.
- Changes to Windows Firewall rules.
- Changes to Windows Firewall exception list.
@ -3122,7 +3122,7 @@ Events include the following:
- Changes to Windows Firewall Group Policy settings.
If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC.
If you don't configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC.
Volume: Low.
<!--/Description-->
@ -3177,7 +3177,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following:
This policy setting allows you to audit events generated by other security policy changes that aren't audited in the policy change category, such as:
- Trusted Platform Module (TPM) configuration changes.
- Kernel-mode cryptographic self tests.
- Cryptographic provider operations.
@ -3238,7 +3238,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit changes in the security audit policy settings, such as the following:
This policy setting allows you to audit changes in the security audit policy settings, such as:
- Settings permissions and audit settings on the Audit Policy object.
- Changes to the system audit policy.
- Registration of security event sources.
@ -3310,8 +3310,8 @@ The following privileges are non-sensitive:
- Access this computer from the network.
- Add workstations to domain.
- Adjust memory quotas for a process.
- Allow log on locally.
- Allow log on through Terminal Services.
- Allow Logon Locally.
- Allow Logon Through Terminal Services.
- Bypass traverse checking.
- Change the system time.
- Create a pagefile.
@ -3338,7 +3338,7 @@ The following privileges are non-sensitive:
- Synchronize directory service data.
If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls.
If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called.
If you don't configure this policy setting, no audit event is generated when a non-sensitive privilege is called.
Volume: Very High.
<!--/Description-->
@ -3445,9 +3445,9 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as the following:
This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as:
- A privileged service is called.
- One of the following privileges are called:
- One of the following privileges is called:
- Act as part of the operating system.
- Back up files and directories.
- Create a token object.
@ -3463,7 +3463,7 @@ This policy setting allows you to audit events generated when sensitive privileg
- Take ownership of files or other objects.
If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests.
If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made.
If you don't configure this policy setting, no audit event is generated when sensitive privilege requests are made.
Volume: High.
<!--/Description-->
@ -3517,16 +3517,16 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events generated by the IPsec filter driver, such as the following:
This policy setting allows you to audit events generated by the IPsec filter driver, such as:
- Startup and shutdown of the IPsec services.
- Network packets dropped due to integrity check failure.
- Network packets dropped due to replay check failure.
- Network packets dropped due to being in plaintext.
- Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated.
- Network packets received with incorrect Security Parameter Index (SPI). This incorrect value may indicate that either the network card isn't working correctly or the driver needs to be updated.
- Inability to process IPsec filters.
If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation.
If you don't configure this policy setting, no audit event is generated on an IPSec filter driver operation.
Volume: Low.
<!--/Description-->
@ -3698,11 +3698,11 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events related to security system extensions or services, such as the following:
- A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM.
- A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It's used to authenticate sign-in attempts, submit sign-in requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM.
- A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension.
If you don't configure this policy setting, no audit event is generated when an attempt is made to load a security system extension.
Volume: Low. Security system extension events are generated more often on a domain controller than on client computers or member servers.
<!--/Description-->
@ -3757,11 +3757,11 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following:
- Events that could not be written to the event log because of a problem with the auditing system.
- A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space.
This policy setting allows you to audit events that violate the integrity of the security subsystem, such as:
- Events that couldn't be written to the event log because of a problem with the auditing system.
- A process that uses a local procedure call (LPC) port that isn't valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space.
- The detection of a Remote Procedure Call (RPC) that compromises system integrity.
- The detection of a hash value of an executable file that is not valid as determined by Code Integrity.
- The detection of a hash value of an executable file that isn't valid as determined by Code Integrity.
- Cryptographic operations that compromise system integrity.
Volume: Low.

20
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Authentication
description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign in screen.
description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign-in screen.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -83,7 +83,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.
Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the Windows logon screen.
<!--/Description-->
<!--SupportedValues-->
@ -212,14 +212,14 @@ Supported in the next release. Specifies whether Fast Identity Online (FIDO) dev
Value type is integer.
Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password every time they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.
Here's an example scenario: At Contoso, there are many shared devices and kiosks that employees use throughout the day, for example, employees use as many as 20 different devices. To minimize the loss in productivity when employees have to sign in with username and password every time they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Do not allow. The FIDO device credential provider disabled. 
- 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign into an Windows.
- 0 - Don't allow. The FIDO device credential provider disabled.
- 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign in to Windows.
<!--/SupportedValues-->
<!--/Policy-->
@ -257,7 +257,7 @@ Allows secondary authentication devices to work with Windows.
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD).
In the next major release of Windows 10, the default for this policy for consumer devices will be changed to off. This will only affect users that have not already set up a secondary authentication device.
In the next major release of Windows 10, the default for this policy for consumer devices will be changed to off. This change will only affect users that have not already set up a secondary authentication device.
<!--/Description-->
<!--ADMXMapped-->
@ -412,7 +412,7 @@ Value type is integer. Supported values:
- 0 - (default) The feature defaults to the existing SKU and device capabilities.
- 1 - Enabled. Auto connect new non-admin Azure AD accounts to pre-configured candidate local accounts
- 2 - Disabled. Do not auto connect new non-admin Azure AD accounts to pre-configured local accounts
- 2 - Disabled. Don't auto connect new non-admin Azure AD accounts to pre-configured local accounts
<!--/Description-->
<!--SupportedValues-->
@ -466,8 +466,8 @@ Value type is integer. Supported values:
Value type is integer. Supported values:
- 0 - (default) The feature defaults to the existing SKU and device capabilities.
- 1 - Enabled. Web Credential Provider will be enabled for Sign In
- 2 - Disabled. Web Credential Provider will not be enabled for Sign In
- 1 - Enabled. Web Credential Provider will be enabled for a sign in.
- 2 - Disabled. Web Credential Provider won't be enabled for a sign in.
<!--/Description-->
<!--SupportedValues-->
@ -512,7 +512,7 @@ Value type is integer. Supported values:
<!--Description-->
Specifies the preferred domain among available domains in the Azure AD tenant.
Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", she would then be able to sign in using "abby" in the username field instead of "abby@contoso.com".
Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", a sign in is done using "abby" in the username field instead of "abby@contoso.com".
Value type is string.